Protect Android App from reverse engineering

2019-03-29 14:30发布

问题:

I want to secure my app 100% and don't want hackers to enter inside.

These are the solutions which I found from Stack Overflow.

  1. Integrating Proguard in the app.

  2. Keeping most important part of the code in C/C++.

  3. Using NDK to write the code natively into .So file.

  4. Encrypting the api keys using MD5.

So is there any other way to protect my Android app fully from the hackers or which is best solution among the above mentioned.

These are the references which I found

How to avoid reverse engineering of an APK file?

How to prevent reverse engineering of an Android APK file to secure code?

回答1:

There is simply no way of completely preventing reverse engineering of your app. Given enough resources, programs do eventually get reverse engineered. It all depends on how motivated your adversary is.

Integrating Proguard in the app

The most efficient counter-mesaure against reverse engineering is obfuscation. That is what Proguard does (but, not too well from what I gather). Proguard's website says it is an optimizer and only provides a minimal protection againse RE. Obfuscation only makes the process of reverse engineering harder. It does NOT prevent reverse engineering.

Keeping most important part of the code in C/C++.

This is a general misconception that writing code in native code will prevent reverse engineering. Writing in C/C++ will compile and build your code to the machine language, which is harder to reverse engineer than Java bytecode. But, it still does not prevent it completely.

Also, writing code in C/C++, unless you are a hardcore systems programmer, you have more chances of introducing a lot of bugs

  • nasty segmentation faults
  • memory leaks
  • use after free

On top of all these, you might end up introducing a multitude of vulnerabilities in your app, from information disclosures to buffer overflows.

Languages which allow you to manage the memory yourselves(Like C/C++), are immensely powerful. So, it also makes it easier to shoot yourself in the foot. That is the another reason why Java is considered generally safer (since memory is managed by the JVM with the help of GC).

So, unless there is an absolute need to write code in C/C++ (say, you are writing a codec), please don't write in C (just to mitigate reverse engineering).

Encrypting the api keys using MD5

MD5 is a hashing algorithm which hashes data into a 16 byte string. And it is also considered broken. You can only hash with MD5, not encrypt with it.

Even if you use encrypt your keys with an algorithm like AES, you will need to store the key somewhere to decrypt it in the future. The attacker can easily extract the key either from the program memory (while running) or from persistent storage and then use it to decrypt your API keys.

Suggestion

Any sensitive part of the code, which you want to prevent from reverse engineering, move it to a remote server. Say, you have come up with a cool algorithm which you do not want anyone to reverse engineer.

I would suggest, building a REST API in the server which accepts data from clients, run the algorithm and return the results. Whenever you need to make use of this algorithm, you can make a REST call to your server from the app, and then just make use of the results you get from there in your app.

All sensitive and confidential data like your API keys can also be stored in the server and never exposed directly in the app.

This would make sure that your sensitive parts of the code is not disclosed to your adversaries.



回答2:

I'll show you how to prevent android apps from stolen. The big picture of our problem is app's Data not code so why there is no built-in framework that work on obfuscated strings depends on the fingerprints of developers.

I know it is Proguard that framework that works on obfuscated functions and classes names. you know every time I hack an app I don't need to know function or class name :)

but I need to know base data URL or all any strings that shown to the user on the screen.

so the effective way to protect APK is obfuscated strings by using fingerprints of a developer so when I'm going to decompile an app I can't get services URLs or any important strings that shown on screen without an original fingerprint.

there is a framework that can do that is called StringCare https://github.com/MostafaAnter/AndroidLibrary.