All geek questions in one place

Decompilation exception apk

I am trying to create a secure Android application. I have included proguard in my application. But when decompiling it does not hide any xml files or manifest. It only modifies .java files.

I tried decompiling the apk of another application from the game store using apktool . Then I got the following exception

Exception in thread "main" brut.androlib.AndrolibException: brut.directory.Direc toryException: java.util.zip.ZipException: error in opening zip file at brut.androlib.ApkDecoder.hasSources(ApkDecoder.java:199) at brut.androlib.ApkDecoder.decode(ApkDecoder.java:83) at brut.apktool.Main.cmdDecode(Main.java:146) at brut.apktool.Main.main(Main.java:77) Caused by: brut.directory.DirectoryException: java.util.zip.ZipException: error in opening zip file at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:55) at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:38) at brut.androlib.res.util.ExtFile.getDirectory(ExtFile.java:55) at brut.androlib.ApkDecoder.hasSources(ApkDecoder.java:197) ... 3 more Caused by: java.util.zip.ZipException: error in opening zip file at java.util.zip.ZipFile.open(Native Method) at java.util.zip.ZipFile.<init>(Unknown Source) at java.util.zip.ZipFile.<init>(Unknown Source) at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:53) ... 6 more

Then the xml and manifest files were not detected. I would also like to protect my application like this. How is this possible?

+6
source share
1 answer

To answer your question, it is simply not possible to fully protect the APK. XML files are easily parsed without apktool .

I asked Ben Gruver / JesusFreke (the guy who developed smali) and he said that it is not possible to fully protect the APK file, but you can complicate its decompilation. While Android can read resources / code in your project, then there may be tools.

The exception you see when trying to decompile Gmail is that apktool needs to be updated for Lollipop ( which is actively working ).

answer by @classc_abc is the best I have found to complicate the decompilation of the APK:

Basically, there are 5 ways to protect your APK from hacking / reversing / repackaging:

  • Isolate Java program

The easiest way is to make users inaccessible to access the Java class of the program. This is the most fundamental way, and it has many specific ways to achieve this. For example, developers can key Java class on the server, customers purchase access services corresponding server interfaces, and not access to the class file directly. Thus, hackers cannot decompile Class files. Currently, more and more standards and protocol services are provided through interfaces such as HTTP, Web service, RPC, etc. But there are many applications that are not suitable for this protection. For example, Java programs in stand-alone programs cannot isolate.

  1. Encrypt Class Files

To prevent decompilation of class files, many developers will encrypt some key class files, such as registration number, serial number control, and other related classes. Before using these encrypted classes, the program must first decrypt these classes, then load these classes into the JVM. These classes can be decrypted by hardware or software.

Developers often load cryptographic classes through specialized ClassLoader classes (the applet does not support custom ClassLoader due to security). Custom ClassLoader will find the cryptographic first, then decrypt them. And finally, download the decrypted classes for the JVM. Customed ClassLoader is a very important class in this protect method. Since he himself is not encrypted, this may be the hacker's first target. If the corresponding key and decryption algorithm have been overcome, then the encrypted classes can be decrypted.

  1. Convert to native codes

Converting a program into native codes is also an effective way to prevent decompilation. Because native codes are often difficult to decompile. Developers can convert the entire application into codes, or they can also convert only key modules. If you simply convert the key to a part of the modules, JNI technology will be needed for the call when Java programs use these modules. He abandoned the cross Java platform by using this mothod to protect Java programs. For different platforms, we need to support different versions of our own codes, which will increase the load on software and technical support. But for some key modules, sometimes this solution is often necessary. In order to ensure that these internal codes are not changed or replaced, developers often need to digitally sign these codes. Before using these proprietary codes, developers often need to authenticate these local codes so that these codes are not modified by hackers. If signature verification is passed, then developers can call the appropriate JNI Methods.

  1. Code obfuscation

Obfuscation of the code is to reorganize and process the class file, which makes the processed codes perform the same function (semantics) using the raw codes. But entangled codes are difficult to decompile, that is, decompiled codes are very difficult to understand, so decompiling employees is difficult to understand really semantics. Theoretically, if hackers have enough time, obfuscated codes can still be cracked. Even some people develop de-obfuscate. But from the real situation, since the diversified development of obfuscation, the maturity of obfuscation theory, confusing Java codes can very well prevent decompilation.

  1. Online encryption

APK Protect is an online site for encrypting APKs. It provides Java codes and C ++ code protection to achieve anti-debugging and decompilation effects. The process is simple and straightforward.

I suggest you use this last method so that it can save more time. I have tried. It is very easy to operate, and it does not take much time.

+1
source

Source: https://habr.com/ru/post/979832/

More articles:


All Articles