I want to prevent anyone from apk reverse compilation. We need to do something. I browsed on the internet, but I still don't know the operational steps clearly.
Who can tell me how to do it?
Anyone's help is so welcome!! Thanks!!
You need an obfuscator. If you are running .NET or Java, these should be easy to find.
There is nothing to prevent people from decompiling your code. All you can do is make it as nasty to read as possible. Don't do this in source (as you will not be able to modify your code yourself), use an obfuscator to do it as a post build step.
Google recommends ProGuard. See this link in the Android docs for more information.
It won't prevent people from disassembling your code (you won't be able to stop that - after all, the operating system needs to disassemble your code to execute it!), but it will make it very hard to see what's going on.
Related
I have given up trying to get Proguard to work on either Eclipse or Android Studio. The docs are arcane and whatever I try, the Proguard obfuscated apk blows. Also questions regarding Proguard don't get much attention on this forum.
Standard Android apk files are designed to almost invite reverse engineering and I'm looking for some ways to protect my code. Not all my code just some methods.
Before I started writing Android apps, I wrote apps in C and in C# and I'm familiar with both of those languages and actually prefer either of them to Java so I've recently been reading about the NDK.
Of course the NDK is about speed but I'm wondering if it also would help protect my code against reverse engineering and inspection from hackers. I understand that it is "compiled" code so I imagine that the source code would not be visible.
Am I barking up the right tree?
Thanks,
Dean
This depends on what kind of protection you are looking for. If that is a revolutionary algorithm that will allow you do some very popular task much much faster than it takes today, then your code will be reverse engineered, no matter how you obfuscate it; you need patent protection. If you want to hide some unfriendly behavior (like spying on your users), it will be discovered. So don't do it. If you want to protect some protocol of client-server communication, it may be subject to easy attack elsewhere.
But in some cases going C++ does really help; it may be easier to distribute a monolithic shared library "black box" than to deal with Java API. I don't think obfuscation can work on code that you sell as library.
When we were selling a huge communication SDK, we followed this approach, and all our Java code was simply open to customers (part was intended to be changed/customized, but some classes carried a warning in the header "Please don't modify this class, there is very high chance that the product will not work properly if you mess with it".
Native C code is harder to decompile but it can be decompiled easily using the right tools.
Especially if you only develop small parts in C and then communicate with it using JNI which is a clear interface, anybody who decompiles your app can also use it. Who needs to know how your code works if you can simply execute it?
Conclusion: native code can be harder to decompile. But usually the only difference is that you need different tools and you need more knowledge & practice to decompile. Also modifying something is usually more complex.
Just implementing some methods in NDK alone will not likely help a lot. However, the resistance to reverse engineering can be improved if you also apply obfuscation and even run-time protection techniques to your NDK code. A simply web search gives a list of free tools. You could also work with commercial solution providers like Arxan. In addition, the level of obfuscation can generally be improved if you put more logic of your app in native code.
Yes if you use the NDK you can make it very difficult to reverse engineer your code and it is unlikely anybody would try.
I have a apk file built with corona. I need to edit the images. I don't have source code. Is there any way to decompile this to get the exact source code?
This is bad. Dont do it.
This is unnecessary. Modifying images doesnt require getting the code. The best option is to use ApkTool. Heres a quick guide, though I am not sure how old it is. If it doesnt suit you, find something else on Google. http://androidforums.com/esteem-all-things-root/520917-guide-how-properly-decompile-recompile-apks-apktool.html
Redistributing the apk after may be illegal. Look into this first.
Final note - See #1. This is bad. Dont decompile other peoples apps with the intention of modifying and reusing. Write your own app.
ApkTool - https://code.google.com/p/android-apktool/
I'm developing an android application for my client. He wants me to submit the apk to him for testing. I almost finished the application and i want to implement some kind of security to make sure that my client doesn't cheat me, until the payment is done.
Is there any way to implement any kind of security in the code?
If you just need to send him/her the apk, you should obfuscate your source code . You can refer to this link——http://developer.android.com/tools/help/proguard.html,If you have finished it ,you needn't worry too much since the source code is in your hand and it's hard to get the source code by reserving. Besides your project has not finished . Last, even if your project is finished , it still works.
Did you ever hear of Proguard? This feature that you want is called Code obfuscation. Like pointed out in the comments, this is a duplicated question.
This library on github called AndroidTimeLock might be useful. It's specifically designed for sending a dev/test build that will expire and stop working. Of course if the person in question is technical and determined they could decompile the app, remove the timelock check and recompile.
Adding code obfuscation proguard (or as I prefer the paid DexGuard) would of course increase the difficulty of this.
You can make your core code builded a dex-format file.Then use some algorithms such as RC5 and others to encrypt your dex file.At last ,put the dex file in Asset file.Then when your project need the core code,you can dynmic loading/.
I have compiled almost all security vulnerabilities and what measures to take before submitting your application to the play store. You can have a look here.
So I published my android app, I proguarded it, applied LVL and even changed some of the LVL code but offcourse, I found it cracked somewhere using a tool called Lucky Patcher. I am not going to ask how can I protect against 1 click tools like that, as I guess there is no single answer ( unless you have an idea and can point me toward).
I need to ask you to help figure out how my code was cracked. I understand that this tool takes APK file and removes licensing. Now given that, how can I take this APK file and reverse engineer it back to Java files to see how the tool cracked my code (so I fix it)
Please help me
Thanks
After Proguard, there's no way to decompile your code into humanly-readable Java.
While it makes the reverse engineering process more difficult, it's not impossible for a clever reverser to figure out the hidden algorithm.
As for tools,
Use android-apktool to decompile to smali and extract all the encoded xml resources.
Use dex2jar to translate Dalvik into jar
and finally jd-gui to see the resulting reversed java code
There's a lot of info here on how to go from a DEX file back to Java source. Also, have you looked at this blog post which addresses many of the ways to protect your source?
piracy is a big issue , and i don't think that any platform or OS can be fully protected from it .
however , google already made some tutorials regarding protection against it , for example:
http://www.google.com/events/io/2011/sessions/evading-pirates-and-stopping-vampires-using-license-verification-library-in-app-billing-and-app-engine.html
also:
http://android-developers.blogspot.co.il/2010/09/securing-android-lvl-applications.html
i think that you can also put some sophisticated obstacles using C instead of java.
also , as google suggests, consider using a different approach : make the core features free , and make the rest purchaseable via in-app billing . you can also add ads and a feature to remove them by in-app billing as well .
I was thinking about this and it seems like if you really wanted to secure your application from hackers there is really only 1 way to do it. You can implement all kinds of fancy methods of insuring your application is licensed and paid for as described in the google article but all it takes is a good hacker to decompile your application and find where the code is and then comment it out or change a function to always return true.
Instead, implement some portion of your application that is required for use in jni/ndk, and check for validation in that code. It doesn't have to be extremely complicated code but you can't just put something like a function (eg. checkValidity) as a user could easily comment the java call that calls into the ndk. Instead you should make some call to your ndk to actually do something that is non-trivial for your application to run -- something the user can't just comment out or switch out with a defined function that does the same thing. From within the ndk code do the verification of your application's integrity/licensing and if it fails kill the application or whatever you need to do.
In order to bypass this the hacker would need to re-implement the ndk code or reverse engineer it.. Which should be much more complicated and not worth while.
This obviously isn't a simple solution and still won't guarantee your application never gets hacked, but it should be much harder to break than the other methods..
I personally think that Obfuscation {Proguard, Dexguard} and native {.so} are pretty effective way to go if used properly.
It definitely deters less experienced 'players' and definitely complicates the life of even experienced 'players'
Don't simply copy/paste the Google android example codes....
There are several tools that can easily reverse engineer the app and shows all the classes and resources easily.My question is what are the ways to make the code obscure.My code is unique and i do not want anyone to reverse engineer it.I want to know Preventive ways.
My question is what are the ways to make the code obscure
Nothing will give you significant improvement over ProGuard without seriously impacting runtime performance.
My code is unique and i do not want anyone to reverse engineer it.
Then do not put that code on somebody else's machine. Keep it on your server.
does ProGuard also hides my database?
No.
It's an important resource to me.
If by "an important resource" you mean "my database is unique and i do not want anyone to read it", then do not put the database on somebody else's machine. Keep it on your server.
Anything that goes on a user's device -- code or data -- is accessible by that user with sufficient work.
There are a couple of free obfuscators besides proGuard, but most apps will use proGuard cause it's recommended & supported by google.
So everything you need to know: (about proguard and beyond)
http://android-developers.blogspot.de/2010/09/proguard-android-and-licensing-server.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+blogspot/hsDu+(Android+Developers+Blog)
https://stackoverflow.com/questions/2531187/android-and-obfuscation