2

Recently I am working on an Android app that communicates with the API server. So to prevent server access from outside, and only allow access from app I hard coded access keys inside the APK. For experiment purpose I reverse engineer my app and everything I can see as everyone see a white blue sky in the beautiful morning. I decided to make some encryption to keys and hard coded in depth areas like gradle.properties, res directory etc. After decompiling again I found everything clearly. I again continue to use NDK, but by following some steps from internet I successfully reverse the C++ file as well and got the content I placed there for testing.

There are many posts regarding this topic:

How to avoid reverse engineering of an APK file?

Protect Android App from reverse engineering

and so on...

And the summary of all is we cannot secure sensitive data completely.

After all this research can anyone tell how WhatsApp, Viber, Banking and other popular apps secure their server access and keys, as it is not legal to reverse engineer one of them but may be some body can help me out to understand what kind of techniques these popular apps use to secure the APK sensitive data?

arrowd
  • 33,231
  • 8
  • 79
  • 110
Stack Overflow
  • 1
  • 5
  • 23
  • 51
  • 1
    I don't know exactly but may be they are using `NDK` same as you did but with some extra encryption. [Dexguard](https://www.guardsquare.com/en/products/dexguard) is also considerable to make the reverse process difficult. – Stack Overflow Dec 30 '19 at 00:07
  • 1
    `100%` security is not to publish the app. – Stack Overflow Dec 30 '19 at 00:13
  • @ZKR Devs - This is the right solution, but its not a solution. – Stack Overflow Dec 30 '19 at 00:15
  • What's wrong with only handing over (time limited) transaction keys to authorized users. In addition you'll have to do server side detection like when a userid is using more than one IP address at a time and such. (There are posts on these subjects). Otherwise always assume the client software can be compromised. – Morrison Chang Dec 30 '19 at 00:17
  • @Morrison Chang - App is for public, and giving keys to public is like telling them this is the key to door, no need to reverse engineer, result compromised. – Stack Overflow Dec 30 '19 at 00:20
  • If you really need security like a bank app (or a high value game) you'll have to do what everyone else does, client instructions hit your servers before "approval" to the real servers that internal to your cloud servers (banks transactions, game actions, etc.) and the "real keys" are never exposed to the public. If your API is public well you've done what crackers would have done. – Morrison Chang Dec 30 '19 at 00:22
  • By client you mean the `app`? Right? – Stack Overflow Dec 30 '19 at 00:28
  • 1
    Correct. Client app can always be compromised and client instructions to server may be falsified. Security is about layers, how much does it cost if it gets hacked and how much does it cost you in development/support time to put in the hack/bot detection at each layer (mobile client/public facing server/fraud or game/service state detection) to mitigate each attack vector. – Morrison Chang Dec 30 '19 at 00:32
  • @Morrison Chang - Your words are somehow considerable to make me move further. Thanks!!! – Stack Overflow Dec 30 '19 at 00:34

0 Answers0