security – Prevent decompiling android apk-ThrowExceptions

Exception or error:

I’m creating an app for android and ios, and i already know that it’s theoretically possible to decompile an android app. The app contains sensitive information that i don’t want users to have access to as the app interfaces with a webserver. If a user gained access to some information available in the source code, they could potentially spam my web server with requests.

Is there any way to authenticate a connection between the app and the server, assuming that the source code is accessible, or is there any way to obfuscate my code to prevent a malicious user from spamming my webserver.

Thankss

How to solve:

[UPDATE]

**

When you build your application using Android gradle plugin version > 3.4.0, the plugin chooses R8 to optimize and obfuscate the code. The rules can now be configured on proguard-rules.pro or proguard-app.conf files. the rules to indicate what to exclude from the obfuscation are similar to the ones in proguard.cfg used earlier.

You can import your proguard files in your build.gradle like

buildTypes{
  ...
  release{
      proguardFiles getDefaultProguardFile(
                'proguard-android-optimize.txt'),
                'proguard-rules.pro'
  }
}

R8 picks up all the existing proguard rules files as long as they’re included in the build.gradle. You can also configure what pieces to obfuscate for different product flavors that you may have.

**

[OLD BUT RELEVANT INFO]

Proguard is a tool that will help you obfusate your code. This comes as part of your android tools and you just need to activate it. This link and this will help further.

Proguard’s default configuration (in proguard.cfg) will be enough to sufficiently obfuscate your code. However you might want to tweak your proguard configuration when you have methods/classes that are being dynamically accessed.

  1. For instance, accessing classes/methods with Reflection will need you to have the code to be intact. You might sometimes experience ClassNotFoundException if proguard obfuscates it.

  2. If you have classes that are being accessed in the AndroidManifest/ Layout Files, you should prevent proguard from obfuscating them.

This can be done by adding

-keep public class <MyPackage.MyClass> 

to your proguard.cfg.

**

While Proguard makes static analysis harder, DexGuard protects from both static and dynamic analysis. DexGuard is specifially for android applications and is only commercially available while Proguard is open source and is for any java bytecode obfuscation / optimization.

###

You cannot prevent decompiling android apk, you can just increase the difficulty of decompilation, proguard is the best option.

###

DexGuard provides even better security then ProGuard but it is NOT free: https://www.saikoa.com/dexguard

DexGuard can even obfuscate String constants.

Leave a Reply

Your email address will not be published. Required fields are marked *