How to avoid reverse engineering of an APK file?

Question

I am developing a payment processing app for Android, and I want to prevent a hacker from accessing any resources, assets or source code from the APK file.<

Answer 1

Basically it's not possible. It will never be possible. However, there is hope. You can use an obfuscator to make it so some common attacks are a lot harder to carry out including things like:

1. Renaming methods/classes (so in the decompiler you get types like a.a)
2. Obfuscating control flow (so in the decompiler the code is very hard to read)
3. Encrypting strings and possibly resources

I'm sure there are others, but that's the main ones. I work for a company called PreEmptive Solutions on a .NET obfuscator. They also have a Java obfuscator that works for Android as well one called DashO.

Obfuscation always comes with a price, though. Notably, performance is usually worse, and it requires some extra time around releases usually. However, if your intellectual property is extremely important to you, then it's usually worth it.

Otherwise, your only choice is to make it so that your Android application just passes through to a server that hosts all of the real logic of your application. This has its own share of problems, because it means users must be connected to the Internet to use your app.

Also, it's not just Android that has this problem. It's a problem on every app store. It's just a matter of how difficult it is to get to the package file (for example, I don't believe it's very easy on iPhones, but it's still possible).

Answer 2

Developers can take following steps to prevent an APK from theft somehow,

• the most basic way is to use tools like ProGuard to obfuscate their code, but up until now, it has been quite difficult to completely prevent someone from decompiling an app.

• Also I have heard about a tool HoseDex2Jar. It stops Dex2Jar by inserting harmless code in an Android APK that confuses and disables Dex2Jar and protects the code from decompilation. It could somehow prevent hackers from decompiling an APK into readable java code.

• Use some server side application to communicate with the application only when it is needed. It could help prevent the important data.

At all, you can not completely protect your code from the potential hackers. Somehow, you could make it difficult and a bit frustrating task for them to decompile your code. One of the most efficient way is to write in native code(C/C++) and store it as compiled libraries.

Answer 3

Here are few methods you can try:

1. Use obfuscation and tools like ProGuard.
2. Encrypt some part of source and data.
3. Use a proprietary inbuilt checksum in the app to detect tampering.
4. Introduce code to avoid loading in a debugger, that is, let the app have the ability to detect the debugger and exit / kill the debugger.
5. Separate the authentication as an online service.
6. Use application diversity
7. Use the finger printing technique for e.g., hardware signatures of the devices from different subsystem before authenticating the device.

Answer 4

If your app is this sensitive then you should consider the payment processing part at server side. Try to change your payment processing algorithms. Use android app only for collecting and displaying user information (i.e account balance) and rather than processing payments within java codes, send this task to your server using a secure SSL protocol with encrypted parameters. Create fully encrypted and secure API to communicate with your server.

Of course, It can also be hacked too and it has nothing to do with source codes protection but consider it another security layer to make it harder for hackers to trick your app.

Answer 5

There is no way to completely avoid reverse engineering of an APK. To protect application assets, resources, you can use encryption.

• Encryption will make harder to use it without decryption.choosing some strong encryption algorithm will make cracking harder.
• Adding some spoof code into your main logic to make more harder for cracking.
• If you can write your critical logic in any native language and that surely make harder for decompile.
• Using any third party security frameworks like Quixxi

Answer 6

I knew some banking apps are using DexGuard which provides obfuscation as well as encryption of classes, strings, assets, resource files and native libraries

https://www.guardsquare.com/en/products/dexguard