-4

I came across this question on Stack Overflow: How to avoid reverse engineering of an APK file?

But, if what they say there is true, and you can't completely protect the code, I am then still remained with a question:

What do you do when you have an algorithm you want to keep secret? I really find it hard to believe big apps such as Facebook, Gmail, etc. only obfuscate their code. Don't they somehow connect the Android Java code to a remote server where it runs all the background stuff?

For example: can you make a button in Android connect to a remote server which will do some PHP scripts on the server, and then return data to the app, just as you would do in web development? Or there is another way?

(*Currently trying to learn Android development, so maybe it has answer in further videos I am watching, but I am really curious now)

2 Answers2

2

You don't. If you wanted to, you could reverse engineer Google, Facebook, or any other app (although for Google especially a lot of the interesting algorithms are on the serverside, not the client).

This is no different from any other application ever written. I've disassembled DOS programs and figured out how they worked to interact with hardware they controlled. If the code exists on the client, it can be reverse engineered. If a processor needs to be able to run it, then a human can read it.

Your best bet is just not to worry about it. Your code isn't that special, or that different from every other app out there that it needs to be protected. What's valuable about it is the time spent writing it, promoting it, building a business around it. The code itself is dead simple in 99.999% of cases. If you truly have something unique you can consider a patent, but the value of the code is in the time taken to get it right, not in its secrecy.

Gabe Sechan
  • 90,003
  • 9
  • 87
  • 127
  • That's what I was talking about: serverside as you mentioned, hidden from a client. So how do you go about doing this? I know that for web developing, you simply write PHP scripts for example, hidden from the user. But there it's much easier as it's all in front of your eyes, and can be mixed in same files (PHP and HTML), and easily viewed using localhost via the web browser for easy testing. But what is this equivalent on Android? Where can I put hidden server side scripts such as PHP on web development? Any tutorials? explanation links? I just couldn't find any. –  Jun 04 '17 at 18:22
  • It's called a web service. You make a request for a url, passing it data. It responds with the results.. Usually it uses xml or json, but it doesn't have to. Note that this won't work if you need berry fast response times or offline functionality – Gabe Sechan Jun 04 '17 at 18:25
  • So I can write the "brain" of the app using PHP scripts and save to a web server, and in my Android app get the data from the web server using web service in a json form so that there is no code in the android app that I don't want to leak? –  Jun 06 '17 at 18:17
0

Put your top sekrit algorithm on a server, somewhere, and invoke it over the network. ProGuard will not prevent reverse engineering. Investigate REST.

G. Blake Meike
  • 6,615
  • 3
  • 24
  • 40
  • That's what I wanted to know, how is it done in Android? I come with a web developing knowledge where it's easy to simply use PHP. What would you do in Android? –  Jun 04 '17 at 18:41