How to secure may own android app from hacking?

Search This thread

Jooztk

Member
Oct 19, 2010
24
3

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,774
Sequim WA
How to secure my own android app from hacking?

Ok, lets get some clarification. Reverse engineering? Or exploiting a vulnerability?

Protect from reverse engineering? Not possible. You can use something like Allatori, DexGuard, Dasho etc to make it more difficult to reverse engineer but it is impossible to stop it. An experience reverse engineer will rip through it. Don't believe anyone (even Google) if they say ProGuard makes reverse engineering impossible, or more difficult, it doesn't.

Protect from exploitation? Use best practices when writing the app. Network traffic? SSL with certificate pinning. Attacks against components (services, broadcast receivers etc? Don't export unless absolutely needed. Use the least amount of permissions needed to accomplish your goal. Maintain the absolute minimum permissions for files, they dont need to ever be world write-able. Injections? valid and sanitize input. The list goes on and on. Get someone knowledgable in the area to do an audit of the app if possible.
 
  • Like
Reactions: winny57 and Jooztk

danelab

Member
Mar 29, 2014
15
5
Ok, lets get some clarification. Reverse engineering? Or exploiting a vulnerability?

Protect from reverse engineering? Not possible. You can use something like Allatori, DexGuard, Dasho etc to make it more difficult to reverse engineer but it is impossible to stop it. An experience reverse engineer will rip through it. Don't believe anyone (even Google) if they say ProGuard makes reverse engineering impossible, or more difficult, it doesn't.

There is dirty trick here. You can move some part(logic) of your code in native lib. It will complicate the decompilation. Because not so many reversers familiar with arm assembler. But I'm agree, it's not possible to fully protect app from cracking.
 

Wasim625

Senior Member
Jul 1, 2014
241
49
Its simply impossible to protect your app from reverse engineering.....

Sent from my GT-I9300 using XDA Free mobile app
 

BitGriff

Member
Feb 11, 2013
10
0
Tyumen
bitgriff.blogspot.ru
Java bytecode can be easily decompiled.

It's possible to use obfuscators to make it difficult to reverse engineer bytecode.

But, it doesn't give 100% guarantee from reverse engineering - decompiled code will be just messy.

Android development tools include Proguard obfuscator - you can use it.

The best way to protect code is to move some parts of it to native part (NDK, C++).

Best regards.

---------- Post added at 02:37 PM ---------- Previous post was at 02:20 PM ----------

There is dirty trick here. You can move some part(logic) of your code in native lib. It will complicate the decompilation. Because not so many reversers familiar with arm assembler. But I'm agree, it's not possible to fully protect app from cracking.

I agree with you, that not many people know it.

But, Arm assembler is easy to understand. If somebody understands x86 assembler, he can understand Arm assembler too.

IDA is a great tool for reverse engineering. If you have understanding of Arm assembler, you can use IDA to check how it's hard to reverse engineer your software.

Some tips:
Don't make simple to understand function names, such as checkLicense, isLicenseValid, isTrialValid, isItemBrought. Make names, that will confuse. For example: function that check license or trial will be loadIcons or something like this.

Don't make functions easily to patch. For example, your function check if item in your game is brought, and it returns bool. Someone can replace a few asm instructions, and func will always return true. It's better to make not only one check from different places. If one check func is patched, others are not. And it will make your app cracking more difficult.

Scramble strings. Strings, such as urls, message texts, log messages, can make cracking more easy. For example, your app gets the list of brought items from your server. Server url can be used to identify the place, where check is performed. Cracker can reveal logic and patch your app. The same is with messages and log messages. These strings can be used to identify place in code and what your app perform in this place. Make xor for all chars in such strings, and it will be more difficult to find it.

I hope this help you.

Best regards,
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    How to secure my own android app from hacking?

    Ok, lets get some clarification. Reverse engineering? Or exploiting a vulnerability?

    Protect from reverse engineering? Not possible. You can use something like Allatori, DexGuard, Dasho etc to make it more difficult to reverse engineer but it is impossible to stop it. An experience reverse engineer will rip through it. Don't believe anyone (even Google) if they say ProGuard makes reverse engineering impossible, or more difficult, it doesn't.

    Protect from exploitation? Use best practices when writing the app. Network traffic? SSL with certificate pinning. Attacks against components (services, broadcast receivers etc? Don't export unless absolutely needed. Use the least amount of permissions needed to accomplish your goal. Maintain the absolute minimum permissions for files, they dont need to ever be world write-able. Injections? valid and sanitize input. The list goes on and on. Get someone knowledgable in the area to do an audit of the app if possible.