Android code obfuscation and secure android application from piracy

Question

Presently i am a newbie in android development .. I need to develop a secured android application so that i can save it from getteg pirated.

For security of application i have used RMS in J2ME.In J2ME i use to do following steps :

1. generate a serial number(some random number)
2. save that number in rms,on next launch of application display the same serial number on screen and ask user to input valid activation code then if user enters correct activation code then application activates and flag is set to true and i save this flag value in other rms
3. if flag value is true then home screen is displayed to user on launching app again else activation page is displayed.

I want to implement this concept in android ..Please guide me how to do it.Or tell me if any body knows some better way for doing this in android.

Secondly I want to obfuscate the apk file before releasing the application..after goggling for 2 days i found that it can be done using proguard.But i am not getting how to obfuscate the code.Please guide and help me for sorting both issues.

Thanks

Answer 1

There isn't really a way to protect any sort of client-side code, whether it is an Android *.apk, a Java *.jar file, or a bit of JavaScript code that runs in your user's browser. The best way to protect yourself from piracy is to make the application dependent on some server-side computation that you provide.

Since you are using RMS, it sounds like you already require a server-side computation. Rather than bothering users to enter an activation code, why don't you associate this activation code with the user's email address when they purchase the application, and then why don't you use OAuth with their Google Account to verify that the user has an email address that is known to have purchased the application?

Answer 2

• About RMS

Michael Aaron Safyan said everything, nothing to add.

• About ProGuard

ProGuard is now integrated to the Android framework, and requires basically no work to be set up. You just have to enable it as explained in this article and if needed to customize its configuration. "If needed", as the default configuration is suitable for most of the projects. You just have to be careful with the use if the reflexion as most of the packages, classes and methods are going to be renamed by the obfuscation process.

Answer 3

The parallel to RMS in Android is SharedPreferences. However, the sharedPreferences xml file is not as protected as the RMS files in J2ME (at least in some devices). Anyone with a rooted device can read and write this file easily...

Therefore, I suggest you read about Android's Application Licensing. It's far from perfect, but it's a built in feature you can integrate easily. http://developer.android.com/guide/publishing/licensing.html

EDIT: Obfuscation: To obfuscate your project all you have to do is add proguard.config=proguard.cfg to your default.properties file.

The obfuscation will occur according to the configuration stated in the defult proguard.cfg file. Note that your code will only be obfuscated when you build the final APK (Android Tools -> Export ...) and I recommend testing the final APK after obfuscation, especially when 3rd party libs are part of the build process