It turns out that Google recommends obfuscating your Android app.
In order to understand the problem, I would like to disassemble my own app and see what information I can extract from the code. How do I do this?
There are tools available for that, such as the pair linked to in this sentence. I have not used them and therefore cannot vouch for how well or easily they work.
Some tools are listed at What is a good android disassember that can produce infomative results
Also you can try undx http://undx.sourceforge.net/
Use them only for good :)
Related
I want to use Google Cloud Text-to-Speech on my Android app.
I found a sample code but I don't know how to use it in my app.
I run this sample and it worked.
https://github.com/changemyminds/Google-Cloud-TTS-Android
How to use it totally depends on your needs. You can use some patterns from this example. Also, you can read official Google documentation and use Java examples, but most important is TTS android reference with Java and Kotlin.
You can try to find in Google something like "Android TTS tutorials" to get more understanding about the theme.
I know it's a lot late response but still, if you had that issue then I had the solution of it and could say this would definitely help those who are facing the same issues, so if you are not having a heavy app size or it doesn't your Gradle conflicts with maven then you may prefer:- https://github.com/changemyminds/Google-Cloud-TTS-Android but if this link causes you errors as I got do prefer:-
https://github.com/ivso0001/GoogleCloudTextToSpeech this one is the very simpler so you won't be facing big issues. as it does help me too.
We have a setup where we want to use https://ship.io/ as our cloud-based continuous-integration server.
However we also want to have some kind of static code analysis (preferably SonarCube but that is debatable), which isn't supported officially by ship.io.
The Projects are classic mobile Projects (Android and iOS).
I have seen some posts of people mentioning that they managed to setup this kind of configuration. SonarCube just has released a gradle plugin http://www.sonarsource.com/2015/06/15/sonarqube-gradle-1-0-released/ so the Android part should be doable.
However at the moment i have no idea what would be the best way do do this for the iOS part of the project.
We already contacted the ship.io team on this issue but did not recieve a response yet.
Any suggestions/insights on this?
My name is Tim Rosenblatt and I'm one of the senior engineers here at Ship.io. I'm not sure why you didn't get a reply from our support email, and I'm glad you posted about this here.
As Viktor mentioned, we definitely support custom scripts. You absolutely can run whatever you like during your build process with this type of step.
I've got a few links that should be helpful for you in getting SonarCube added to your Ship job, but you can definitely get in touch with us if anything isn't clear enough for you. You can use the in-app support icon at the bottom right of your dashboard, or just email me personally -- tim at ship dot io
http://support.ship.io/environment/install-software
http://support.ship.io/environment/custom-shell-scripts
Thanks!
You should be able to write a script (bash, ruby, ...) which runs your static code analysis and then call that script on your own Mac or on any CI which supports running custom scripts. AFAIK ship.io does support this, our service (https://bitrise.io/ - CTO here) certainly does.
So I published my android app, I proguarded it, applied LVL and even changed some of the LVL code but offcourse, I found it cracked somewhere using a tool called Lucky Patcher. I am not going to ask how can I protect against 1 click tools like that, as I guess there is no single answer ( unless you have an idea and can point me toward).
I need to ask you to help figure out how my code was cracked. I understand that this tool takes APK file and removes licensing. Now given that, how can I take this APK file and reverse engineer it back to Java files to see how the tool cracked my code (so I fix it)
Please help me
Thanks
After Proguard, there's no way to decompile your code into humanly-readable Java.
While it makes the reverse engineering process more difficult, it's not impossible for a clever reverser to figure out the hidden algorithm.
As for tools,
Use android-apktool to decompile to smali and extract all the encoded xml resources.
Use dex2jar to translate Dalvik into jar
and finally jd-gui to see the resulting reversed java code
There's a lot of info here on how to go from a DEX file back to Java source. Also, have you looked at this blog post which addresses many of the ways to protect your source?
piracy is a big issue , and i don't think that any platform or OS can be fully protected from it .
however , google already made some tutorials regarding protection against it , for example:
http://www.google.com/events/io/2011/sessions/evading-pirates-and-stopping-vampires-using-license-verification-library-in-app-billing-and-app-engine.html
also:
http://android-developers.blogspot.co.il/2010/09/securing-android-lvl-applications.html
i think that you can also put some sophisticated obstacles using C instead of java.
also , as google suggests, consider using a different approach : make the core features free , and make the rest purchaseable via in-app billing . you can also add ads and a feature to remove them by in-app billing as well .
I was thinking about this and it seems like if you really wanted to secure your application from hackers there is really only 1 way to do it. You can implement all kinds of fancy methods of insuring your application is licensed and paid for as described in the google article but all it takes is a good hacker to decompile your application and find where the code is and then comment it out or change a function to always return true.
Instead, implement some portion of your application that is required for use in jni/ndk, and check for validation in that code. It doesn't have to be extremely complicated code but you can't just put something like a function (eg. checkValidity) as a user could easily comment the java call that calls into the ndk. Instead you should make some call to your ndk to actually do something that is non-trivial for your application to run -- something the user can't just comment out or switch out with a defined function that does the same thing. From within the ndk code do the verification of your application's integrity/licensing and if it fails kill the application or whatever you need to do.
In order to bypass this the hacker would need to re-implement the ndk code or reverse engineer it.. Which should be much more complicated and not worth while.
This obviously isn't a simple solution and still won't guarantee your application never gets hacked, but it should be much harder to break than the other methods..
I personally think that Obfuscation {Proguard, Dexguard} and native {.so} are pretty effective way to go if used properly.
It definitely deters less experienced 'players' and definitely complicates the life of even experienced 'players'
Don't simply copy/paste the Google android example codes....
I would like to know:
If it's possible to use Lazarus (Pascal) for both Android and iOS development.
If the answer seems positive, do I need a third-party SDK/API or package to do this?
Thanks!
Android: See answer from Nic Strong.
iOS (iPhone/iPad): Check google and find this result.
I am almost certain the answer is no.
EDIT: Looks like I was wrong. See http://wiki.lazarus.freepascal.org/Android_Programming
The answer is yes. For Ios Lazurs uses objectivepascal which a pascal extension that allows integration with objective-c much like objective-c++.
However it is necessary to do some work to set-up the environment and you need an Apple computer to build test and debug.
This is the best entry point for iOS development:
http://objectivepascal.com/
I want to prevent anyone from apk reverse compilation. We need to do something. I browsed on the internet, but I still don't know the operational steps clearly.
Who can tell me how to do it?
Anyone's help is so welcome!! Thanks!!
You need an obfuscator. If you are running .NET or Java, these should be easy to find.
There is nothing to prevent people from decompiling your code. All you can do is make it as nasty to read as possible. Don't do this in source (as you will not be able to modify your code yourself), use an obfuscator to do it as a post build step.
Google recommends ProGuard. See this link in the Android docs for more information.
It won't prevent people from disassembling your code (you won't be able to stop that - after all, the operating system needs to disassemble your code to execute it!), but it will make it very hard to see what's going on.