How to protect Android app against theft and modif

2019-02-19 07:01发布

问题:

There's a good report here of a recent scam perpetrated through the Android market.

http://www.theregister.co.uk/2011/12/12/android_market_malware/

Someone copied some popular game .apk files off a rooted phone, decompiled them with smali, added code to make them use an expensive premium SMS service, re-signed them with his own key, and put them back in the Android market. Over 10K users downloaded them in the 24 hours before Google booted the apps from the market.

How can app developers protect against their work being stolen, modified, and remarketed in this way? I suppose you could match the MD5 hash of your app as it was when you shipped it (perhaps kept with your app in the google market, or on one of your servers), with the MD5 hash of the app as it is now. But we don't have tools for checking the MD5 hash of an .apk file, and the underlying files are not visible to app software.

Ensuring identity integrity of an app you run, surely, is a solved problem. What is the best practice?

回答1:

This kind of black hat practice are impossible to avoid. Whatever you find, a lucky, ingenious, patient hacker will undo it.

You can nevertheless hope to work hard enough to make it harder for most hackers to easily break your protections. That's what people often call IT security btw :)

Fields to investigate are :

  • obfscation
  • CRCs and MD5 as you mentionned it
  • secure networked verification
  • a second app to check the first
  • a custom checking class loader (can you do that on android ?)


回答2:

Not the be-all-to-end-all but there is ProGuard:

The ProGuard tool shrinks, optimizes, and obfuscates your code by removing unused code and renaming classes, fields, and methods with semantically obscure names. The result is a smaller sized .apk file that is more difficult to reverse engineer. Because ProGuard makes your application harder to reverse engineer.



回答3:

If you are willing to spend some money then go for some professional help such as Arxan. We have used this in our enterprise level app. Basically it recompiles the .apk with its own encryption and creates a new apk which will enable you to know whether tampering was done with apk and other such instances. You may refer to this url : https://www.arxan.com/ for more details and do your research accordingly.