Can Someone Steal Your Android Application Code?

Do you know that anyone can steal the code of your android app in under 2 minutes using tools that are freely available on the internet? So what can you do about it and how can you protect your code? Let’s talk about how you can protect your app from these “App Pirates” or App Piracy.

Making it difficult to reverse engineer your code is very complex and tricky. However, you can make this possible by using some simple steps. In this article, I will let you review some of the tools that will help you to secure your code. 

Pirates simply get the apk, decompile it, steals your code or functionality, and uploads your app code or may change a few things and upload again from their account.

An Android Application Package (APK) file can easily be reverse-engineered using the following steps:

Change extension of APK file from .apk to .zip

• Now use Dex2Jar (a lightweight API) to convert the DEX file to a JAR file
• Now by extracting this .zip file, you will get all the resource files, android manifest file + classes.dex (.dex file is Dalvik Executable format file) file.
• Download the dex2jar tool from dex2jar.
• Open the CMD window and execute the following commands to get the .jar file from the .apk file.

• Now use JD-GUI to get Java source codes of “.class” files from the JAR file followed by step 1.

Like I said earlier, you can’t make your code 100% secure. Whatever you do to your code, a potential hacker can change it in any way he can. You basically can’t protect your application from being modified. Moreover, any protection you put in there can be disabled/removed.

So, what is the way to at least make it difficult for a hacker to reverse engineer it? Let’s review some practices or techniques to make your app secure from pirates. 

Google provides you with a library named Google library LVL (License Verification Library), just to build into your code and use it. You can make your app secure by just adding licensing permission and then implementing the policy in your app.

You can add the custom policy and strict policy in your code. It provides you with a sheath of protection to help you from any piracy attack. 

This technique is used to hide your algorithm from being modified or reused. You keep your expensive functions and algorithms on a secure server and use web services. In this way, the client could use it.

Despite the positive sides of it, this technique is not recommended because you cannot use it in case of the standalone applications or it is expected to perform the functionalities without the web.

Some developers encrypt their java classes using cryptography. Custom ClassLoader classes are used first to find such encrypted classes and the after decrypting them they are finally loaded into JVM.

Using this technique does not make your app secure truly because your Custom loader classes are not encrypted. So, the hacker may target it and grab your code and decrypt all other files.

There is another way of securing your code by writing an entire application or key modules in a native language using JNI technology and the NDK tool. Native codes are difficult to be decompiled. Moreover to make sure that such native codes are not modified developers often use digital codes to sign native code.

Before using these native codes, developers often need to authenticate these local codes to ensure that these codes have not been changed by hackers. If the signature check is passed, then developers can call relevant JNI methods.

To take advantage of this technique, you have to compromise the cross-platform feature of your java code with security.

I find code obfuscation the most efficient and productive approach to secure Android APK. It keeps on changing your variable names to make your code confusing and difficult to decompile.

Following are some popular code obfuscation tools:

Proguard is a tool that comes with Android SDK. It does name obfuscation of variables and classes so that it could make the code less readable after being cracked. It also shrinks and optimizes code. Proguard configuration can be changed in the guard-android.txt file where the default configuration is already defined,

You can configure your build. gradle file for guard implementation. It can be the module level or the project level.

buildTypes { debug 

{ minifyEnabled false 

proguardFiles getDefaultProguardFile(‘proguard-android.txt’), ‘proguard-rules.txt’ 

}

}

The configuration shown is for debug level you can write your build flavors like shown below inside the build types

Myproductionbuild{ 

minifyEnabled true 

proguardFiles getDefaultProguardFile(‘proguard-android.txt’), ‘proguard-rules.txt’ 

}

DexProtector is an effective tool to obfuscate Android code. It uses strong cryptographic algorithms to encrypt Dalvik bytecode. Moreover, it injects security checks into Android APK. In case of tampering, it stops the functionalities of that particular android application.

Let me conclude the whole scenario in a few words, using the suggested tools above, you can make it difficult for an entry-level hacker to dilute your app piracy. Vizteck Solutions is providing software solutions to businesses and startups for the last 14 years.

We have a dedicated Mobile Application Development team and we make sure that we do our best to use the best practices to make our android applications secure.