将光标移到/点击文章中的句子上,可以查看译文。      显示繁体中文内容    显示简体中文内容

How to avoid reverse engineering of an APK file?
如何避免APK的某个文件被逆向工程?

I am developing a payment processing app for Android, and i want to prevent a hacker from accessing any resources, assets or source code from the APK file.

If someone changes the. apk extension to. zip then they can unzip it and easily access all the app's resources and assets, and using dex2jar and a Java decompiler, they can also access the source code.it's very easy to reverse engineer an Android APK file - for more details see Stack Overflow question Reverse engineering from an APK file to a project.

I have used the Proguard tool provided with the Android SDK.when i reverse engineer an APK file generated using a signed keystore and Proguard, i get obfuscated code.However, the names of Android components remain unchanged and some code, like key-values used in the app, remains unchanged.as per Proguard documentation the tool can't obfuscate components mentioned in the Manifest file.

Now my questions are :

  1. How can i completely avoid reverse engineering of an Android APK?is this possible?
  2. How can i protect all the app's resources, assets and source code so that hackers can't hack the APK file in any way?
  3. is there a way to make hacking more tough or even impossible?what more can i do to protect the source code in my APK file?
时间:

1. how can i completely avoid reverse engineering of an Android APK?is this possible?

AFAIK, there is not any trick for complete avoidance of reverse engineering.

And also very well said by @inazaruk:whatever you do to your code, a potential attacker is able to change it in any way she or he finds it feasible.you basically can't protect your application from being modified.and any protection you put in there can be disabled/removed.

2. how can i protect all the app's resources, assets and source code so that hackers can't hack the APK file in any way?

You can do different tricks to make hacking harder though.for example, use obfuscation (if it's Java code).this usually slows down reverse engineering significantly.

3. is there a way to make hacking more tough or even impossible?what more can i do to protect the source code in my APK file?

As everyone says, and as you probably know, there's no 100% security.but the place to start for Android, that Google has built in, is ProGuard.if you have the option of including shared libraries, you can include the needed code in C++ to verify file sizes, integration, etc. if you need to add an external native library to your APK's library folder on every build, then you can use it by the below suggestion.

Put the library in the native library path which defaults to"libs"in your project folder.if you built the native code for the 'armeabi ' target then put it under libs/armeabi.if it was built with armeabi-v7a then put it under libs/armeabi-v7a.


<project>/libs/armeabi/libstuff.so

AFAIK, you cannot protect the files in the/res directory anymore than they are protected right now.

However, there are steps you can take to protect your source code, or at least what it does if not everything.

  1. Use tools like ProGuard. these will obfuscate your code, and make it harder to read when decompiled, if not impossible.
  2. Move the most critical parts of the service out of the app, and into a webservice, hidden behind a server side language like PHP.for example, if you have an algorithm that's taken you a million dollars to write.you obviously don't want people stealing it out of your app.Move the algorithm and have it process the data on a remote server, and use the app to simply provide it with the data.or use the NDK to write them natively into. so files, which are much less likely to be decompiled than apks.i don't think a decompiler for. so files even exists as of now (and even if it did, it wouldn't be as good as the Java decompilers).Additionally, as @nikolay mentioned in the comments, you should use SSL when interacting between the server and device.
  3. When storing values on the device, don't store them in a raw format.for example, if you have a game, and you're storing the amount of in game currency the user has in SharedPreferences.let's assume it's 10000 coins.instead of saving 10000 directly, save it using an algorithm like ((currency*2)+1)/13.so instead of 10000, you save 1538.53846154 into the SharedPreferences.However, the above example isn't perfect, and you'll have to work to come up with an equation that won't lose currency to rounding errors etc.
  4. You can do a similar thing for server side tasks.now for an example, let's actually take your payment processing app.let's say the user has to make a payment of $200.instead of sending a raw $200 value to the server, send a series of smaller, predefined, values that add up to $200.for example, have a file or table on your server that equates words with values.so let's say that Charlie corresponds to $47, and John to $3.so instead of sending $200, you can send Charlie four times and John four times.on the server, interpret what they mean and add it up.this prevents a hacker from sending arbitrary values to your server, as they do not know what word corresponds to what value.as an added measure of security, you could have an equation similar to point 3 for this as well, and change the keywords every n number of days.
  5. Finally, you can insert random useless source code into your app, so that the hacker is looking for a needle in a haystack.Insert random classes containing snippets from the internet, or just functions for calculating random things like the Fibonacci sequence.Make sure these classes compile, but aren't used by the actual functionality of the app.Add enough of these false classes, and the hacker would have a tough time finding your real code.

All in all, there's no way to protect your app 100%.you can make it harder, but not impossible.your web server could be compromised, the hacker could figure out your keywords by monitoring multiple transaction amounts and the keywords you send for it, the hacker could painstakingly go through the source and figure out which code is a dummy.

You can only fight back, but never win.

1. how can i completely avoid reverse engineering of an Android APK?is this possible?

this isn't possible

2. how can i protect all the app's resources, assets and source code so that hackers can't hack the APK file in any way?

When somebody change a. apk extension to. zip, then after unzipping, someone can easily get all resources (except Manifest.xml ), but with APKtool one can get the real content of the manifest file too.Again, a no.

3. is there a way to make hacking more tough or even impossible?what more can i do to protect the source code in my APK file?

Again, no, but you can prevent upto some level, that is,

  • Download a resource from the Web and do some encryption process
  • Use a pre-compiled native library (C, C++, JNI, NDK )
  • Always perform some hashing ( MD5/SHA keys or any other logic )

Even with Smali, people can play with your code.all in all, it's not POSSIBLE.

100% avoidance of reverse engineering of the Android APK is not possible, but you can use these ways to avoid extracting more data, like source code, assets form your APK, and resources :

  1. Use ProGuard to obfuscate application code

  2. Use NDK using C and C++ to put your application core and secure part of code in .so files

  3. To secure resources, don't include all important resources in the assets folder with APK.Download these resources at the time of application first start up.

Developers can take following steps to prevent an APK from theft somehow,

  • the most basic way is to use tools like ProGuard to obfuscate their code, but up until now, it has been quite difficult to completely prevent someone from decompiling an app.

  • Also i have heard about a tool HoseDex2Jar.it stops Dex2Jar by inserting harmless code in an Android APK that confuses and disables Dex2Jar and protects the code from decompilation.it could somehow prevent hackers from decompiling an APK into readable java code.

  • Use some server side application to communicate with the application only when it is needed.it could help prevent the important data.

At all, you can not completely protect your code from the potential hackers.Somehow, you could make it difficult and a bit frustrating task for them to decompile your code.one of the most efficient way is to write in native code(C/C++) and store it as compiled libraries.

1. how can i completely avoid reverse engineering of an Android APK?is this possible?

that is impossible

2. how can i protect all the app's resources, assets and source code so that hackers can't hack the APK file in any way?

Developers can take steps such as using tools like ProGuard to obfuscate their code, but up until now, it has been quite difficult to completely prevent someone from decompiling an app.

It's a really great tool and can increase the difficulty of 'reversing 'your code whilst shrinking your code's footprint.

Integrated ProGuard support : ProGuard is now packaged with the SDK Tools.Developers can now obfuscate their code as an integrated part of a release build.

3. is there a way to make hacking more tough or even impossible?what more can i do to protect the source code in my APK file?

While researching, i came to know about HoseDex2Jar.this tool will protect your code from decompiling, but it seems not to be possible to protect your code completely.

Some of helpful links, you can refer to them.

The main question here is that can the dex files be decompiled and the answer is they can be"sort of".there are disassemblers like dedexer and smali.

ProGuard, properly configured, will obfuscate your code.DexGuard which is a commercial extended version of ProGuard, may help a bit more.However, your code can still be converted into smali and developers with reverse-engineering experience will be able to figure out what you are doing from the smali.

Maybe choose a good license and enforce it by the law in best possible way.

...