Is it really impossible to protect Android apps from reverse engineering?

java android reverse-engineering decompiling
32,332

Solution 1

The first stop for me would be to optimise and obfuscate the code with ProGuard which is known to work with byte code targeted at Android's Dalvik VM (via Dex). It's a really great tool and can increase the difficulty of 'reversing' your code while shrinking your code's footprint (in some cases dramatically: a recent applet of mine went from about 600 KB down to about 50 KB).

Like others are saying, you will never get 100% security of your algorithm's details while its implementation is being distributed to clients. For that, you'd need to keep the code on your servers alone. Attempts to near 100% percent security for client code effectively amount to DRM and can make your client code fragile in the face of network outages and just generally frustrate (legitimate) users.

The Android developers blog has some useful articles on the matter of 'tamper resistant' Android apps (and they recommend the use of ProGuard as part of the overall approach).

With regards to 'creative' approaches: some developers employ debugger detection techniques to prevent run-time analysis and combine this with encryption of portions of binary code (to deter static analysis), but to be honest, a determined enough attacker can circumvent these, while it can cause legitimate user frustration as illustrated by the Windows KB article Games: Error Message: A Debugger Has Been Detected: Unload the Debugger and Try Again. My girlfriend's 'Learn to drive' DVD software will not run under VirtualBox for this reason, but she blames Linux of course!

OpenRCE and Wikipedia's article on obfuscated code may be good starting points if you want to look into this further. But be warned, you may lose more through over zealous use of these techniques frustrating your users than you would through loss of trade secrets by reverse engineering. Like Anton S says, maybe the most 'creative' approach lies with tweaking the business model rather than the technology.

The latest Android SDK update on 6th Dec 2010 (coinciding with Android 2.3 Gingerbread release):

Integrated ProGuard support: ProGuard is now packaged with the SDK Tools. Developers can now obfuscate their code as an integrated part of a release build.

Solution 2

If it's a possibility: remote procedure calls to a well-protected server (the server has the code you want to protect).

Solution 3

Make it so cheap to bother and don't build your business model on top of secrets that are executed on the client side. In other words, don't share your secrets.

Solution 4

It is impossible to protect any client side code from reverse engineering. You can just use more or less efficient ways of obfuscating your code. And optimized x86 assembler happens to be a pretty good obfuscation.

So if you have algorithmic secrets put them on the server-side.

Solution 5

How to lock compiled Java Classes to prevent decompilation

You can't. Any scheme can be defeated by someone with sufficient skills, time and motivation.

(Incidentally, this also applies to software that is compiled to binary. The only difference is in the amount of effort involved in decompiling.)

My question is how one would go about protecting an app that contains algorithmic trade secrets from reverse-engineering?

Simply don't install the app on the user's phone. Or (more usefully), run the code that contains the trade secrets on a remote (properly secured) server.

Share:
32,332
Android Eve
Author by

Android Eve

Just starting in the world of Android development... New to Java and Eclipse as well.

Updated on July 08, 2022

Comments

  • Android Eve
    Android Eve almost 2 years

    As we know, Android apps are written in Java. In Java, no matter what you do, it is impossible to protect compiled code from decompilation or reverse-engineering, as the Stack Overflow question How to lock compiled Java classes to prevent decompilation? suggests.

    How would one go about protecting an app that contains algorithmic trade secrets from reverse-engineering?

    By "how" I mean not only software techniques, but also other creative approaches.

  • Android Eve
    Android Eve over 13 years
    Anton, I didn't mean copy or piracy protection against users. The app would most likely be offered for free. I meant reverse-engineering by some corporations...
  • jwueller
    jwueller over 13 years
    My thoughts! +1! @Android Eve: You could use a secred authentication passphrase for connecting to your server. Even if somebody extracts this passphrase out of your code, nobody will be able to see how your calculations work.
  • Android Eve
    Android Eve over 13 years
    +1 for this idea. One huge drawback though: giving up the benefits of distributed processing. If the algorithm needs to serve hundreds of millions of people, then you need serious investment in a server farm.
  • jcomeau_ictx
    jcomeau_ictx over 13 years
    I'd say forget the passphrase, because someone will extract it. as you said, it's a black box, people can see the results but not the code that produced them. thanks for the +1!
  • Android Eve
    Android Eve over 13 years
    Optimized x86 assembler on an Android device? How?
  • jwueller
    jwueller over 13 years
    The passphrase is an additional layer of obfuscation. You do not need it, but it does not hurt either and makes it harder to use this service without using the app.
  • CodesInChaos
    CodesInChaos over 13 years
    That was just a general remark about x86 being harder to reverse than java bytecode, but still possible. And afaik it is possible to ship native code with your android programs(ARM I'd guess), but I'm not sure it's a good idea.
  • jcomeau_ictx
    jcomeau_ictx over 13 years
    @elusive: if that's your preference. it's hard to explain my philosophy in these little comment boxes so I won't try.
  • Android Eve
    Android Eve over 13 years
    Are you referring to the NDK? I wouldn't mind using my mother tongue (C++) on the Android, but my understanding is that the NDK is limited for a very specific low-level system programming.
  • Android Eve
    Android Eve over 13 years
    +1 for the last tip. Any other ideas that are not necessarily software techniques?
  • Android Eve
    Android Eve over 13 years
    +1 for the 3rd one. Any other ideas that are not necessarily software techniques?
  • Android Eve
    Android Eve over 13 years
    +1. This is the best answer I received so far. Thank you. Unless an even better answer is received, this will be the accepted answer.
  • Willem Hengeveld
    Willem Hengeveld over 9 years
    You don't need decompilation for reverse engineering, disassembly is sufficient. And i found the hexagon disassembly to be quite readable.
  • Awi
    Awi almost 6 years
    The same applies to Root Detection. You will be trying to control "the user that controls control", including the api calls that you rely on to know "Who has root access?".

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Alternative to dex2jar and jd-GUI?
How to remove class file in .jar file and change it with my own implementation
How can I protect MySQL username and password from decompiling?
Decompile an APK, modify it and then recompile it
decompiling DEX into Java sourcecode
Android: Java: Proguard: How to: verify if my jar (different jar project)/apk are successfully processed? (I am thinking to reverse engineer it)
How to reverse-engineer / decompile an Android APK which was obfuscated using ProGuard?
Error : Flutter - Missing 'package' key attribute on element package at [com.google.android.gms:play-services-maps:18.0.2] AndroidManifest.xml:33:9-64
flutter gradle build failed with gradle 4.2.2 and sdk version 31
Duplicate class com.google.android.exoplayer2.ui.DownloadNotificationHelper