• Vizteck Author

Can Someone Steal your Android Application Code?

Updated: May 13


Do you know that anyone can steal the code of your android app in under 2 minutes using tools that are freely available on the internet? So what can you do about it and how can you protect your code. Let’s talk about how you can protect your app from these “App Pirates” or App Piracy.


Making it difficult to reverse engineer your code is very complex and tricky. However, you can make this possible by using some simple steps. In this article i will let you review on some of the tools that will help you to secure your code.


How do they steal the code?


Pirates simply gets the apk, decompiles it, steals your code or functionality and uploads your app code or may change few things and upload again from his own account.


An Android Application Package (APK) file can easily be reverse engineered using following steps:


Change extension of APK file from .apk to .zip


  1. Now use Dex2Jar (a lightweight API) to convert DEX file to JAR file

  2. Now by extracting this .zip file, you will get all the resource files, android manifest file + classes.dex (.dex file is Dalvik Executable format file) file.

  3. Download dex2jar tool from dex2jar.

  4. Open CMD window and execute following commands to get .jar file from .apk file.

  • Now use JD-GUI to get Java source codes of “.class” files from JAR file followed by step 1.


Protecting app from App Piracy


Like i said earlier, you can’t make your code 100% secure. Whatever you do to your code, a potential hacker can change it in any way he can. You basically can’t protect your application from being modified. Moreover, any protection you put in there can be disabled/removed.


So, what is the way to at least make it difficult for a hacker to reverse engineer it? Let’s review some practices or techniques to make your app secure from pirates.


Using Google Library


Google provides you a library named Google library LVL (License Verification Library), just to build into your code and use it. You can make your app secure by just adding licensing permission and then implement the policy in your app.


You can add the custom policy and strict policy in your code. It provides you a sheath of protection to help you from any piracy attack.


Isolate Java Program


This technique is used to hide your algorithm from being modified or reused. You keep your expensive functions and algorithms on a secure server and use web services. In this way, the client could use it.


Despite the positive sides of it, this technique is not recommended because you cannot use it in case of the standalone applications or it is expected to perform the functionalities without the web.


Cryptography

Some developers encrypt their java classes using cryptography. Custom ClassLoader classes are used first to find such encrypted classes and the after decrypting them they are finally loaded into JVM.


Using this technique do not make your app secure truly because your Custom loader classes are not encrypted. So, the hacker may target it and grab your code and decrypt all other files.


Native Code your App


There is another way of securing your code by writing an entire application or key modules in a native language using JNI technology and NDK tool. Native codes are difficult to be decompiled. Moreover to make sure that such native codes are not modified developer often use digital codes to sign native code.

Before using these native codes, developers often need to authenticate these local codes to ensure that these codes have not changed by hackers. If the signature check is passed, then developers can call relevant JNI methods.

To take advantage of this technique, you have to compromise the cross-platform feature of your java code with security.


Code Obfuscation.

I find code obfuscation most efficient and productive approach to secure Android APK. It keeps on changing your variable names to make your code confusing and difficult to decompile.

Following are some popular code obfuscation tools.


Proguard

Proguard is a tool which comes with Android SDK.It does name obfuscation of variables and classes so that it could make the code less readable after being cracked. It also shrinks and optimizes code.Proguard configuration can be changed in proguard-android.txt file where default configuration is already defined,

You can configure your build.gradle file for proguard implementation. It can be module level or the project level.

buildTypes { debug { minifyEnabled false proguardFiles getDefaultProguardFile(‘proguard-android.txt’), ‘proguard-rules.txt’ } }

The configuration shown is for debug level you can write your build flavors like shown below inside buildTypes

Myproductionbuild{ minifyEnabled true proguardFiles getDefaultProguardFile(‘proguard-android.txt’), ‘proguard-rules.txt’ }


DexProtector

DexProtector is an effective tool to obfuscate Android code. It uses strong cryptographic algorithms to encrypt Dalvik bytecode. Moreover, it injects security checks in Android APK. In case of tampering, it stops functionalities of that particular android application.


Conclusion

Let me conclude the whole scenario in few words, using the suggested tools above, you can make it difficult for an entry level hacker to dilute your app piracy. Vizteck Solutions is providing software solutions to businesses and startups for the last 9 years. We have a dedicated Mobile Application Development team and we make sure that we do our best to use the best practices to make our android applications secure.

#AppSecurity #Mobileappsecurityissues #IOS8 #AppPiracy #HybridApp #MobileApp #mobile #android

549 views
ADDRESS

Building 145, Bahria Town Phase 4, Civic Center, Islamabad

© 2007- 2020 - Vizteck.com

GET IN TOUCH

+1-508-4227011

  • Facebook
  • Twitter
  • LinkedIn