7

So I published my android app, I proguarded it, applied LVL and even changed some of the LVL code but offcourse, I found it cracked somewhere using a tool called Lucky Patcher. I am not going to ask how can I protect against 1 click tools like that, as I guess there is no single answer ( unless you have an idea and can point me toward).

I need to ask you to help figure out how my code was cracked. I understand that this tool takes APK file and removes licensing. Now given that, how can I take this APK file and reverse engineer it back to Java files to see how the tool cracked my code (so I fix it)

Please help me Thanks

Snake
  • 14,228
  • 27
  • 117
  • 250
  • Possible duplicate of [Is there a way to get the source code from an APK file?](https://stackoverflow.com/questions/3593420/is-there-a-way-to-get-the-source-code-from-an-apk-file) – Kamil Kiełczewski Jun 10 '17 at 14:33

5 Answers5

1

piracy is a big issue , and i don't think that any platform or OS can be fully protected from it .

however , google already made some tutorials regarding protection against it , for example: http://www.google.com/events/io/2011/sessions/evading-pirates-and-stopping-vampires-using-license-verification-library-in-app-billing-and-app-engine.html

also: http://android-developers.blogspot.co.il/2010/09/securing-android-lvl-applications.html

i think that you can also put some sophisticated obstacles using C instead of java.

also , as google suggests, consider using a different approach : make the core features free , and make the rest purchaseable via in-app billing . you can also add ads and a feature to remove them by in-app billing as well .

android developer
  • 114,585
  • 152
  • 739
  • 1,270
  • Thank you I know but as I said in my post I want to protect my program against 1 click tools. what I havr implemented is.from the post and I wish there were examples to make it easier to understand – Snake Jun 05 '12 at 23:15
  • well you can try it out and do trial and error till you find a way that it won't succeed cracking your app . however , it's just a matter of time till the app's devs will be able to find how to overcome it. – android developer Jun 05 '12 at 23:24
1

After Proguard, there's no way to decompile your code into humanly-readable Java.
While it makes the reverse engineering process more difficult, it's not impossible for a clever reverser to figure out the hidden algorithm.

As for tools,
Use android-apktool to decompile to smali and extract all the encoded xml resources.
Use dex2jar to translate Dalvik into jar and finally jd-gui to see the resulting reversed java code

eladr
  • 268
  • 7
  • 18
1

There's a lot of info here on how to go from a DEX file back to Java source. Also, have you looked at this blog post which addresses many of the ways to protect your source?

Community
  • 1
  • 1
scorpiodawg
  • 5,612
  • 3
  • 42
  • 62
1

I was thinking about this and it seems like if you really wanted to secure your application from hackers there is really only 1 way to do it. You can implement all kinds of fancy methods of insuring your application is licensed and paid for as described in the google article but all it takes is a good hacker to decompile your application and find where the code is and then comment it out or change a function to always return true.

Instead, implement some portion of your application that is required for use in jni/ndk, and check for validation in that code. It doesn't have to be extremely complicated code but you can't just put something like a function (eg. checkValidity) as a user could easily comment the java call that calls into the ndk. Instead you should make some call to your ndk to actually do something that is non-trivial for your application to run -- something the user can't just comment out or switch out with a defined function that does the same thing. From within the ndk code do the verification of your application's integrity/licensing and if it fails kill the application or whatever you need to do.

In order to bypass this the hacker would need to re-implement the ndk code or reverse engineer it.. Which should be much more complicated and not worth while.

This obviously isn't a simple solution and still won't guarantee your application never gets hacked, but it should be much harder to break than the other methods..

Matt Wolfe
  • 8,924
  • 8
  • 60
  • 77
  • Awsome. Thank you for the answer. I really enjoyed reading it and I think it is great way. Usually the 1-click programs change the standard LVL library that comes from google so I guess I need to change that to include JNi/NDK. Do you have an example/link to a tutorial how to implements jni/ndk in android?Thank you – Snake Jun 06 '12 at 23:45
  • getting past the 1 click programs to fail at removing LVL probably isn't too hard if you follow those guidelines. What would be hard though is prevent a good hacker who understands code well from being able to remove the license verification code by hand with several hours of figiting. .. You could always try and see if you can reverse your own code with them before you release to the market. – Matt Wolfe Jun 07 '12 at 06:07
0

I personally think that Obfuscation {Proguard, Dexguard} and native {.so} are pretty effective way to go if used properly.

It definitely deters less experienced 'players' and definitely complicates the life of even experienced 'players'

Don't simply copy/paste the Google android example codes....

Nik theGeeK
  • 181
  • 12