Is it really impossible to protect Android apps from reverse engineering?

by

The first stop for me would be to optimise and obfuscate the code with ProGuard which is known to work with byte code targeted at Android’s Dalvik VM (via Dex). It’s a really great tool and can increase the difficulty of ‘reversing’ your code while shrinking your code’s footprint (in some cases dramatically: a recent applet of mine went from about 600 KB down to about 50 KB).

Like others are saying, you will never get 100% security of your algorithm’s details while its implementation is being distributed to clients. For that, you’d need to keep the code on your servers alone. Attempts to near 100% percent security for client code effectively amount to DRM and can make your client code fragile in the face of network outages and just generally frustrate (legitimate) users.

The Android developers blog has some useful articles on the matter of ‘tamper resistant’ Android apps (and they recommend the use of ProGuard as part of the overall approach).

With regards to ‘creative’ approaches: some developers employ debugger detection techniques to prevent run-time analysis and combine this with encryption of portions of binary code (to deter static analysis), but to be honest, a determined enough attacker can circumvent these, while it can cause legitimate user frustration as illustrated by the Windows KB article Games: Error Message: A Debugger Has Been Detected: Unload the Debugger and Try Again. My girlfriend’s ‘Learn to drive’ DVD software will not run under VirtualBox for this reason, but she blames Linux of course!

OpenRCE and Wikipedia’s article on obfuscated code may be good starting points if you want to look into this further. But be warned, you may lose more through over zealous use of these techniques frustrating your users than you would through loss of trade secrets by reverse engineering. Like Anton S says, maybe the most ‘creative’ approach lies with tweaking the business model rather than the technology.

The latest Android SDK update on 6th Dec 2010 (coinciding with Android 2.3 Gingerbread release):

Integrated ProGuard support: ProGuard is now packaged with the SDK Tools. Developers can now obfuscate their code as an integrated part of a release build.

More Related Contents:

  1. decompiling DEX into Java sourcecode
  2. How can I protect MySQL username and password from decompiling?
  3. Decompile an APK, modify it and then recompile it
  4. How to decompile DEX into Java source code?
  5. How to check two array list are same content in same position
  6. How to resolve “FATAL EXCEPTION: main” in E/AndroidRuntime?
  7. RecyclerView onClick
  8. Base 64 encode and decode example code
  9. How to create interface between Fragment and adapter?
  10. Android Eclipse – Could not find *.apk
  11. What is callback in Android? [duplicate]
  12. Why I cant use the populateViewHolder override method?
  13. How can I avoid garbage collection delays in Java games? (Best Practices) [closed]
  14. Android Unable to instantiate activity: Didn’t find class on path
  15. How to get elements of fragments created by ViewPager in MainActivity?
  16. Android long-touch event
  17. Multiple commands through JSch shell
  18. TimerTask vs Thread.sleep vs Handler postDelayed – most accurate to call function every N milliseconds?
  19. How to use TabLayout with ViewPager2 in Android
  20. Android calculate days between two dates
  21. Eclipse: JVM terminated. Exit code=2
  22. How to wait for all tasks in an ThreadPoolExecutor to finish without shutting down the Executor?
  23. android MapView in Fragment
  24. REQUEST DENIED with Google Places API KEY for Server Web used in an Android application
  25. How to draw a filled triangle in android canvas?
  26. Android get date before 7 days (one week)
  27. How do I draw an arrowhead (in Android)?
  28. Select multiple images from Photo Gallery on Android using Intents
  29. How to set unit for Paint.setTextSize()
  30. How to get line count of textview before rendering?

Leave a Comment