37

I'm currently dealing with a particular issue with my paid application. Internally it contains a licensing check. The app is patched by hackers by modifying the app apk/jar. They are adding a new class which helps bypass the licensing check.

My goal is to somehow check for this particular patch. If I find it I know my app has been compromised.

Any tips on how to know that something has been modified on the package? Doing a hash over the app is not really an option in my case.

I thought maybe checking if this class exists would help, but what if they change the name of the class? Then, another idea is somehow check for unexpected includes added to the class.

Any of these possible? Any suggestions would help :)

StackExchange What The Heck
  • 2,656
  • 7
  • 39
  • 51
Jona
  • 13,325
  • 15
  • 86
  • 129

4 Answers4

70

Not sure about android but in standard JDK you would do something like this:

try {
 Class.forName( "your.fqdn.class.name" );
} catch( ClassNotFoundException e ) {
 //my class isn't there!
}
Liv
  • 6,006
  • 1
  • 22
  • 29
  • The problem with this call is that it specifies the package name. The package name is random... But the file name is not... – Jona Apr 26 '11 at 17:46
  • so you want to look for a class that is in the same package as the class you check it from? is this the question? – Liv Apr 26 '11 at 17:53
  • I need to find a class which can be located randomly anywhere in my app. The class is placed randomly by the "hack patch" – Jona Apr 26 '11 at 17:57
  • 1
    Well I already knew about this call and was using it... In reality there wasn't a correct answer at this post but since I ended up using this particular check and you where the first to post I'll assign you the correct answer. – Jona May 02 '11 at 20:33
  • 1
    This could throw a NoClassDefFoundError which shall not be caught because it is an error. – Titus T Feb 12 '18 at 14:53
20

Here is what I used in Android - standard Java:

public boolean isClass(String className) {
    try  {
        Class.forName(className);
        return true;
    }  catch (ClassNotFoundException e) {
        return false;
    }
}

Implementation example:

if (isClass("android.app.ActionBar")) {
    Toast.makeText(getApplicationContext(), "YES", Toast.LENGTH_SHORT).show();
}
Jared Burrows
  • 54,294
  • 25
  • 151
  • 185
6

You can use 

public static Class<?> forName (String className)

and check the ClassNotFoundException

http://developer.android.com/reference/java/lang/Class.html#forName%28java.lang.String%29

Aleadam
  • 40,203
  • 9
  • 86
  • 108
  • Same issue with @Liv post... This doesn't work since I would have to specify the exact path in the package the class is found. In my case the class could be somewhere randomly stored in my apps package. – Jona Apr 26 '11 at 17:48
  • with the risk of being a b**ch -- is this different to what I suggested? – Liv Apr 26 '11 at 17:51
  • @Liv have you seen the time difference between the two answers? No, it's not very different. What's the point? – Aleadam Apr 26 '11 at 18:37
  • @Moto please update your question explaining how that hack works so we have a better idea. As of now I don't really understand what do you need. – Aleadam Apr 27 '11 at 00:32
1

How does it get loaded if it's a random class in a random package?

That being said, see http://download.oracle.com/javase/6/docs/api/java/lang/System.html#getProperties%28%29 and java.class.path. For normal java apps, you have to walk the classpath and then search the entries (for jars) or directories (for .class files). But in a container-class-loader environment, this will fail to work (and I'm not sure how that applies to an android environment).

Paul Webster
  • 10,614
  • 1
  • 25
  • 32
  • Thanks for the response... Well it gets loaded after official release of the application. This particular file bypasses the licensing checks... Than it's distributed freely. – Jona Apr 26 '11 at 20:12
  • 1
    Sorry, I'm asking what in your official app loads the class if you don't know beforehand what package it is in. Classes are loaded in response to being referenced from other classes, or loaded via SPI or some other mechanism. Just having a class in a jar wouldn't be enough by itself to load it. – Paul Webster Apr 26 '11 at 20:16
  • That's an interesting point. Well I'm assuming this patch class is attached to my licensing checking. Not sure exactly where but I know it should be loaded once I run my licensing check. – Jona Apr 27 '11 at 15:45
  • Yep... Decompiled my hacked app and all over I see the include to this particular patch file.... – Jona Apr 27 '11 at 16:15