本文翻译自:How to avoid reverse engineering of an APK file?

I am developing a payment processing app for Android, and I want to prevent a hacker from accessing any resources, assets or source code from the APK file. 我正在开发适用于Android的付款处理应用程序 ,并且我想防止黑客访问APK文件中的任何资源,资产或源代码。

If someone changes the .apk extension to .zip then they can unzip it and easily access all the app's resources and assets, and using dex2jar and a Java decompiler, they can also access the source code. 如果有人将.apk扩展名更改为.zip,那么他们可以将其解压缩并轻松访问应用程序的所有资源和资产,并且使用dex2jar和Java反编译器,他们还可以访问源代码。 It's very easy to reverse engineer an Android APK file - for more details see Stack Overflow question Reverse engineering from an APK file to a project . 对Android APK文件进行反向工程非常容易-有关更多详细信息,请参见Stack Overflow问题: 从APK文件反向工程到项目

I have used the Proguard tool provided with the Android SDK. 我已经使用了Android SDK随附的Proguard工具。 When I reverse engineer an APK file generated using a signed keystore and Proguard, I get obfuscated code. 当我反向工程使用签名的密钥库和Proguard生成的APK文件时,我得到的代码很混乱。

However, the names of Android components remain unchanged and some code, like key-values used in the app, remains unchanged. 但是,Android组件的名称保持不变,某些代码(如应用中使用的键值)保持不变。 As per Proguard documentation the tool can't obfuscate components mentioned in the Manifest file. 根据Proguard文档,该工具不能混淆清单文件中提到的组件。

Now my questions are: 现在我的问题是:

  1. How can I completely prevent reverse engineering of an Android APK? 如何完全防止 Android APK的反向工程? Is this possible? 这可能吗?
  2. How can I protect all the app's resources, assets and source code so that hackers can't hack the APK file in any way? 如何保护应用程序的所有资源,资产和源代码,以使黑客无法以任何方式对APK文件进行黑客攻击?
  3. Is there a way to make hacking more tough or even impossible? 有没有办法使黑客攻击变得更加艰难甚至不可能? What more can I do to protect the source code in my APK file? 我还能做些什么来保护APK文件中的源代码?

#1楼

参考:https://stackoom.com/question/w8AT/如何避免APK文件的反向工程

#2楼

Developers can take following steps to prevent an APK from theft somehow, 开发人员可以采取以下步骤以某种方式防止APK被盗,

  • the most basic way is to use tools like ProGuard to obfuscate their code, but up until now, it has been quite difficult to completely prevent someone from decompiling an app. 最基本的方法是使用ProGuard工具来混淆他们的代码,但是直到现在,要完全阻止某人反编译应用程序还是很困难的。

  • Also I have heard about a tool HoseDex2Jar . 我也听说过一个工具HoseDex2Jar 。 It stops Dex2Jar by inserting harmless code in an Android APK that confuses and disables Dex2Jar and protects the code from decompilation. 它通过在Android APK中插入无害的代码来停止Dex2Jar ,从而混淆并禁用Dex2Jar并保护代码免于反编译。 It could somehow prevent hackers from decompiling an APK into readable java code. 它可能以某种方式阻止黑客将APK反编译为可读的Java代码。

  • Use some server side application to communicate with the application only when it is needed. 仅在需要时才使用某些服务器端应用程序与该应用程序进行通信。 It could help prevent the important data. 它可以帮助防止重要数据。

At all, you can not completely protect your code from the potential hackers. 根本无法完全保护代码免受潜在黑客的攻击。 Somehow, you could make it difficult and a bit frustrating task for them to decompile your code. 不知何故,对于他们来说,使它们反编译您的代码可能会很困难且令人沮丧。 One of the most efficient way is to write in native code(C/C++) and store it as compiled libraries. 最有效的方法之一是用本机代码(C / C ++)编写并将其存储为已编译的库。

#3楼

1. How can I completely avoid reverse engineering of an Android APK? 1.如何完全避免对Android APK进行反向工程? Is this possible? 这可能吗?

AFAIK, there is not any trick for complete avoidance of reverse engineering. AFAIK,没有任何技巧可以完全避免逆向工程。

And also very well said by @inazaruk: Whatever you do to your code, a potential attacker is able to change it in any way she or he finds it feasible . @inazaruk也很好地指出: 无论您对代码做什么,潜在的攻击者都可以通过其认为可行的任何方式对其进行更改 You basically can't protect your application from being modified. 您基本上不能保护您的应用程序不被修改。 And any protection you put in there can be disabled/removed. 并且您放置在其中的所有保护措施都可以被禁用/删除。

2. How can I protect all the app's resources, assets and source code so that hackers can't hack the APK file in any way? 2.如何保护应用程序的所有资源,资产和源代码,以使黑客无法以任何方式对APK文件进行黑客攻击?

You can do different tricks to make hacking harder though. 您可以采取不同的技巧来使黑客攻击更加困难。 For example, use obfuscation (if it's Java code). 例如,使用混淆(如果是Java代码)。 This usually slows down reverse engineering significantly. 这通常会大大降低反向工程的速度。

3. Is there a way to make hacking more tough or even impossible? 3.有没有办法使黑客攻击变得更加严厉甚至不可能? What more can I do to protect the source code in my APK file? 我还能做些什么来保护APK文件中的源代码?

As everyone says, and as you probably know, there's no 100% security. 众所周知,您可能知道,没有100%的安全性。 But the place to start for Android, that Google has built in, is ProGuard. 但是Google内置的Android的起点是ProGuard。 If you have the option of including shared libraries , you can include the needed code in C++ to verify file sizes, integration, etc. If you need to add an external native library to your APK's library folder on every build, then you can use it by the below suggestion. 如果可以选择包含共享库 ,则可以在C ++中包含所需的代码以验证文件大小,集成等。如果需要在每次构建时将外部本机库添加到APK的库文件夹中,则可以使用它通过以下建议。

Put the library in the native library path which defaults to "libs" in your project folder. 将库放在本机库路径中,该路径默认为项目文件夹中的“ libs”。 If you built the native code for the 'armeabi' target then put it under libs/armeabi . 如果您为“ armeabi”目标构建了本机代码,则将其放在libs / armeabi下If it was built with armeabi-v7a then put it under libs/armeabi-v7a. 如果它是使用armeabi-v7a构建的, 则将其放在libs / armeabi-v7a下。

<project>/libs/armeabi/libstuff.so

#4楼

1. How can I completely avoid reverse engineering of an Android APK? 1.如何完全避免对Android APK进行反向工程? Is this possible? 这可能吗?

Impossible 不可能

2. How can I protect all the app's resources, assets and source code so that hackers can't hack the APK file in any way? 2.如何保护应用程序的所有资源,资产和源代码,以使黑客无法以任何方式对APK文件进行黑客攻击?

Impossible 不可能

3. Is there a way to make hacking more tough or even impossible? 3.有没有办法使黑客攻击变得更加严厉甚至不可能? What more can I do to protect the source code in my APK file? 我还能做些什么来保护APK文件中的源代码?

More tough - possible, but in fact it will be more tough mostly for the average user, who is just googling for hacking guides. 更强悍-可能,但实际上,对普通用户(他们只是在寻找黑客指南)而言,这将更加困难。 If somebody really wants to hack your app - it will be hacked, sooner or later. 如果有人真的想入侵您的应用-迟早会被入侵。

#5楼

100% avoidance of reverse engineering of the Android APK is not possible, but you can use these ways to avoid extracting more data, like source code, assets form your APK, and resources: 不可能100%避免对Android APK进行反向工程,但是您可以使用以下方法来避免提取更多数据,例如源代码,APK中的资产和资源:

  1. Use ProGuard to obfuscate application code 使用ProGuard混淆应用程序代码

  2. Use NDK using C and C++ to put your application core and secure part of code in .so files 使用C和C ++的 NDK将您的应用程序核心和部分代码安全地放在.so文件中

  3. To secure resources, don't include all important resources in the assets folder with APK. 为确保资源安全,请不要在APK中的资产文件夹中包含所有重要资源。 Download these resources at the time of application first start up. 在应用程序首次启动时下载这些资源。

#6楼

AFAIK, you cannot protect the files in the /res directory anymore than they are protected right now. AFAIK,您不能再保护/ res目录中的文件,而不能立即保护它们。

However, there are steps you can take to protect your source code, or at least what it does if not everything. 但是,您可以采取一些步骤来保护源代码,或者至少要保护源代码而不是全部。

  1. Use tools like ProGuard. 使用ProGuard之类的工具。 These will obfuscate your code, and make it harder to read when decompiled, if not impossible. 这些会混淆您的代码,并且即使不是不可能的话,在反编译时也很难阅读。
  2. Move the most critical parts of the service out of the app, and into a webservice, hidden behind a server side language like PHP. 将服务中最关键的部分移出应用程序,并移到Web服务中,隐藏在服务器端语言(如PHP)的后面。 For example, if you have an algorithm that's taken you a million dollars to write. 例如,如果您有一种算法需要花费一百万美元来编写。 You obviously don't want people stealing it out of your app. 您显然不希望别人从您的应用程序中窃取它。 Move the algorithm and have it process the data on a remote server, and use the app to simply provide it with the data. 移动算法并使其在远程服务器上处理数据,然后使用该应用程序简单地向其提供数据。 Or use the NDK to write them natively into .so files, which are much less likely to be decompiled than apks. 或使用NDK将其本机写入.so文件中,而与apks相比,它们反编译的可能性要小得多。 I don't think a decompiler for .so files even exists as of now (and even if it did, it wouldn't be as good as the Java decompilers). 我认为到目前为止,.so文件的反编译器甚至还不存在(即使确实如此,它也不如Java的反编译器那样好)。 Additionally, as @nikolay mentioned in the comments, you should use SSL when interacting between the server and device. 此外,正如注释中提到的@nikolay一样,在服务器和设备之间进行交互时应使用SSL。
  3. When storing values on the device, don't store them in a raw format. 在设备上存储值时,请勿以原始格式存储它们。 For example, if you have a game, and you're storing the amount of in game currency the user has in SharedPreferences. 例如,如果您有一个游戏,并且要存储用户在SharedPreferences中拥有的游戏币数量。 Let's assume it's 10000 coins. 假设它是10000硬币。 Instead of saving 10000 directly, save it using an algorithm like ((currency*2)+1)/13 . 而不是直接保存10000 ,而是使用((currency*2)+1)/13类的算法进行保存。 So instead of 10000 , you save 1538.53846154 into the SharedPreferences. 因此,您可以将1538.53846154而不是10000保存到SharedPreferences中。 However, the above example isn't perfect, and you'll have to work to come up with an equation that won't lose currency to rounding errors etc. 但是,上面的示例并不是完美的,您必须努力想出一个不会因舍入误差等因素而浪费时间的方程式。
  4. You can do a similar thing for server side tasks. 您可以对服务器端任务执行类似的操作。 Now for an example, let's actually take your payment processing app. 现在举个例子,让我们实际使用您的付款处理应用程序。 Let's say the user has to make a payment of $200 . 假设用户必须支付$200 Instead of sending a raw $200 value to the server, send a series of smaller, predefined, values that add up to $200 . 而不是向服务器发送原始的$200值,而是发送一系列较小的预定义值,其总和为$200 For example, have a file or table on your server that equates words with values. 例如,在您的服务器上有一个文件或表格,将单词和值等同起来。 So let's say that Charlie corresponds to $47 , and John to $3 . 假设Charlie对应$47John对应$3 So instead of sending $200 , you can send Charlie four times and John four times. 因此,您不必发送$200 ,而是可以发送Charlie四次和John四次。 On the server, interpret what they mean and add it up. 在服务器上,解释它们的含义并将其加起来。 This prevents a hacker from sending arbitrary values to your server, as they do not know what word corresponds to what value. 这可以防止黑客将任意值发送到您的服务器,因为他们不知道哪个单词对应什么值。 As an added measure of security, you could have an equation similar to point 3 for this as well, and change the keywords every n number of days. 作为一种额外的安全措施,您也可以为此设置一个类似于第3点的公式,并每隔n天更改一次关键字。
  5. Finally, you can insert random useless source code into your app, so that the hacker is looking for a needle in a haystack. 最后,您可以将无用的随机源代码插入您的应用程序,以使黑客在大海捞针中寻找针头。 Insert random classes containing snippets from the internet, or just functions for calculating random things like the Fibonacci sequence. 插入包含来自互联网的摘要的随机类,或者仅插入用于计算诸如斐波那契数列之类的随机事物的函数。 Make sure these classes compile, but aren't used by the actual functionality of the app. 确保可以编译这些类,但应用程序的实际功能未使用这些类。 Add enough of these false classes, and the hacker would have a tough time finding your real code. 添加足够多的这些错误类,黑客将很难找到您的真实代码。

All in all, there's no way to protect your app 100%. 总而言之,没有办法100%保护您的应用程序。 You can make it harder, but not impossible. 您可以使其更困难,但并非没有可能。 Your web server could be compromised, the hacker could figure out your keywords by monitoring multiple transaction amounts and the keywords you send for it, the hacker could painstakingly go through the source and figure out which code is a dummy. 您的Web服务器可能受到攻击,黑客可能会通过监视多个交易金额和您为其发送的关键字来找出您的关键字,黑客可能会费心地查看源代码并找出哪个代码是假的。

You can only fight back, but never win. 您只能反击,但永远不会赢。

如何避免APK文件的反向工程?相关推荐

  1. linux(以ubuntu为例)下Android利用ant自动编译、修改配置文件、批量多渠道,打包生成apk文件...

    原创,转载请注明:http://www.cnblogs.com/ycxyyzw/p/4555328.html  之前写过一篇<windows下Android利用ant自动编译.修改配置文件.批量 ...

  2. 利用adb命令查看apk文件包名的一些方法

    利用adb命令查看apk文件包名的一些方法 前提是已经下载android SDK并配好环境变量! 在控制台输入命令$adb shell pm 可以看到adb shell pm的相关用法,详细信息请自己 ...

  3. 批量从apk文件中提取出so文件

    应用场景 在不解压apk文件夹的情况下批量的从apk文件中提取出所有的so文件.这样你即不用使用apktool 这些工具令产生大量的中间文件,或者将apk的后缀变为.zip,然后在解压,节省了磁盘空间 ...

  4. 批量提取出apk文件中的classes.dex文件

    应用场景 如果需要批量分析apk以及每个apk文件中的classes.dex 文件.怎么提取出它们?将apk改后缀名变为.zip文件,之后在解压,提取出每个apk文件中的classes.dex文件,这 ...

  5. 用apktool批量反编译apk文件

    写在前面的话 这个是一个十分简单的脚本,非常简单.为什么要写,因为我是来骗分数的. 应用场景 主机上有一堆APK文件,是按照类别分好的,现在用apktool 反编译它们,然后在按照类别和apk的名字来 ...

  6. 下载apk文件之后变成zip的解决办法

    APK文件其实是zip格式,但后缀名被修改为apk,通过UnZip解压后,可以看到Dex文件,Dex是Dalvik VM executes的全称,即Android Dalvik执行程序,并非Java ...

  7. android 开发 获取各种intent (图片、apk文件、excel、pdf等文件)

    public static Intent openFile(String filePath){File file = new File(filePath);if(!file.exists()) ret ...

  8. Android代码实现APK文件的安装与卸载

    Android代码实现APK文件的安装与卸载 Android程序使用代码的安装和卸载!!! 安装: String str = "/CanavaCancel.apk"; String ...

  9. Apk文件破解反编译(转)

    首先我们了解下什么是apk APK是AndroidPackage的缩写,即Android安装包(apk).APK是类似Symbian Sis或Sisx的文件格式.通过将APK文件直接传到Android ...

最新文章

  1. COM First Teck.
  2. Optimized Purchasing基础知识
  3. laravel controller
  4. 招聘 | 南京柯基数据招聘自然语言处理工程师
  5. Java中矩阵运算(math3的使用)
  6. 安卓移动应用开发实例_移动应用开发协会纳新 ||掌握信息,赢得未来
  7. 前端:HTML/06/表单,表单元素(单行文本域,单行密码域,单选按钮,复选框,下拉列表,文本区域,上传文件域,各种按钮,隐藏域,lt;caption表格标题)
  8. 怎么在表格中转换html格式,图解Excel与Html格式之间的互相转换
  9. 解决springboot工程创建是连接失败问题
  10. linux 域名对应ip 端口号,【原创】Linux基础之测试域名IP端口连通性
  11. Netapp存储 硬盘显示bad label的解决办法
  12. gps坐标转成火星坐标
  13. 计算机安全模式怎么消除计,大神为你解说win7系统解除word安全模式的妙计
  14. 给控件做数字签名——摘录自阿泰博客
  15. 计算机处理器份额,处理器市场份额排名 英特尔X86架构继续领先
  16. 多个订单待付款半小时倒计时功能
  17. 防抖和截流超级详细讲解,易懂
  18. 简单介绍一下chatGPT
  19. Apache开源顶级项目Ambari搭建HDP大数据平台
  20. 因为一首歌,想念一个人?

热门文章

  1. : Andorid的Linux基础教学之五 中断机制
  2. Ubuntu 设置Android adb 环境变量
  3. 什么是Busybox,简单使用
  4. ubuntu16.04安装retext,第一行图标flie,edit,help没有,其它图标也不显示?
  5. Android性能优化之电量篇(四)
  6. (0045) iOS 开发之MBProgressHUD 源码学习
  7. php组件化开发composer,PHP组件化开发 - JimmyJaw的个人空间 - OSCHINA - 中文开源技术交流社区...
  8. 7.13 T2 Shit 题(shit)
  9. [ 浙江大学 程序设计专题 ] 四个专题代码 报告 PPT共享
  10. 基于mjpg-streamer网络视频服务器移植