How to secure my app against piracy

by

I released a free anti-malware app for Android, and making sure nobody hacked it was essential to its success. The biggest threats agains an app on the Android Market include leaked source code, copied/distributed paid apps, and re-keying. I explain each below and way to solve them.

Firstly, this paper describes how to reverse-engineer an Android application by unpacking the compiled code and viewing the source code. You will not be able to block this from happening to your app. Period. Someone with a will can always view your sourcecode if they get a copy of your apk (easily available on a rooted phone). The good news is that you can obfuscate the important pieces of your code making it harder to reverse engineer. Proguard is a tool provided by Android that lets you obfuscate (make harder to read) your code during packaging. In order to prevent your important code from being read, however, you will need to move all vulnerable methods or variables to a file that is not an Activity, Service, or BroadcastReceiver. For full facts, read the documentation.

To protect agains illegally copy and distribution of your application, Google Play provides some licensing options. Unfortunately, LVL is also not entirely secure. A detailed HOW-TO for how to crack it (pre-Google Play) is available here.

Lastly, the paper linked above, as well as numerous scholarly articles and online blogs describe how, once the source code (or even obfuscated source code) is leaked, once can merely add some of their own, malicious code, resign the app, and publish it on the Android Market. The good news here is that, unless your android license key password is easily guessable, or if you give it out to someone else, the attacker will not be able to publish an application with the same license key. This not only protects you from blame, but it will also make it so that malicious application cannot access data available through your original application (such as SharedPreferences).

All in all, the best way to really secure your application from piracy is to correctly configure and use Proguard, Google Play Licensure, and to sign you final apk with a very secure license key.

More Related Contents:

  1. How to avoid reverse engineering of an APK file
  2. How do I prevent Android taking a screenshot when my app goes to the background?
  3. How to prevent Screen Capture in Android
  4. How to encrypt and decrypt file in Android?
  5. How permission can be checked at runtime without throwing SecurityException?
  6. Android SharedPreference security
  7. Restrict API requests to only my own mobile app
  8. How to securely store credentials (password) in Android application?
  9. android: Determine security type of wifi networks in range (without connecting to them)
  10. How to securely store access token and secret in Android?
  11. How to Secure Android Shared Preferences?
  12. Best way to secure Android app sensitive Data?
  13. How to keep the OAuth consumer secret safe, and how to react when it’s compromised?
  14. How to enable AutoStart option for my App in Xiaomi phone Security App programmatically in android
  15. How to prevent NFC tag cloning?
  16. Google Play security alert for insecure TrustManager
  17. How to use an API from my mobile app without someone stealing the token
  18. How to manage installation from Unknown Sources in Android Oreo?
  19. Android SQLite data display to ListView
  20. Set style for TextView programmatically
  21. How to get Resource Name from Resource id
  22. Unresolved reference – activity does not recognize synthetic imports in android studio v4
  23. Disable / Check for Mock Location (prevent gps spoofing)
  24. Does Android support JDK 6 or 7 [duplicate]
  25. How to show Snackbar at top of the screen
  26. android: using ActivityGroup to embed activities
  27. Unable to load class AndroidComponentsExtension after upgrading the Android Gradle Plugin 7.1
  28. Is there a way to show a preview of a RecyclerView’s contents in the Android Studio editor?
  29. VideoView onResume loses buffered portion of the video
  30. How to correctly set MediaPlayer audio stream type

Leave a Comment