1

I am working on an Android app for a client. The app is practically finished, and next week I'll have a meeting with the client to present it. He'll test everything, and upon approving it he will make the payment and I'll give him the source code and publish it on Google Play.

Today he called me asking for the Apk so that he can start testing it. I am worried that if we don't close the deal (for one reason or another) he might get someone to reverse engineer the Apk and get my source code/app anyway, even if obfuscated with ProGuard (I never tried, but according to this SO thread it's not that difficult to reverse engineer an Apk).

My question: Am I being paranoid here and should just send the client the Apk (cause perhaps the ProGuard obfuscation is enough to make the source code useless) , or are my worries reasonable and I should stick to getting paid before delivering anything?

Community
  • 1
  • 1
Daniel Scocco
  • 7,036
  • 13
  • 51
  • 78

5 Answers5

3

Have you ever reverse engineered an .apk? Probably you did, but were you able to recreate the whole app? Probably not. Following your logic it would mean that I could "easily" reverse engineer any popular app and use it for me. It's true that you can look through most code, if it's not obfuscated, but the technique isn't perfect. Sometimes it still fails to convert Smali into real Java code. It gets harder the more complex your app is. To answer your question: no don't be worried, but you should still (always) use ProGuard.

stealthyninja
  • 10,343
  • 11
  • 51
  • 59
Ahmad
  • 69,608
  • 17
  • 111
  • 137
1

good answer.. i'm working a lot with a customer that pays me always less then what i ask for.

If you are asking that answer means that u are not in confidence with customer, so my advise is to test first app with him, so next week. Tell him that you find a little bug and u can't give him apk in this days.

But i'm in italy.. customers give money with trouble.. i don't know where u are.. :)

Jayyrus
  • 12,961
  • 41
  • 132
  • 214
1

In fact it's possible to reverse engineer code from apk but if you obfuscate it with ProGuard it will be mostly impossible to reverse engineer your code.

endryha
  • 7,166
  • 8
  • 40
  • 64
1

I've done this before and concluded obfuscation and 'time bombing' (after a given evaluation period disable the app) was sufficient. I would (a) sign the app with your MD5 fingerprint, not the debug signer and (b) ensure you have an EULA in your app worth it's salt. If it comes to it then you can always point at this saying you agreed to x, y & z on installation - one of those points definitely being reverse-engineering. Google helpfully provides some advice on forming your EULA on the portion of the dev guide pertaining to "preparing for release"...writing this on my phone right now so won't link.

Have a Google. I took a lot of my EULA from template versions for our industry.

BrantApps
  • 6,362
  • 2
  • 27
  • 60
1

It's generally much cheaper and quicker to recreate the software from the scratch than reverse-engineering one, unless you use some kind of very expensive/patented algorithms that might be worth the trouble.

For general purpose UI application (~99% of apps) reverse engineering is just not worth the trouble.

lenik
  • 23,228
  • 4
  • 34
  • 43