DroidCon Montreal - Hack and Protect your apps!

One of the presenters focused on helping developers strengthen their app security against having it reversed engineered, but he noted, that with dedication anything is possible.

Some of the things to do before hand is to see if you can hack your own application. There's several methods and tools out there, but Sylvain focused on a select few.

One the first methods used is "adb" and using a tool to unzip an "APK". I'm pretty sure that everyone knows that an APK is simply a compressed zip file.

1- Determine the package name of the app, e.g. "com.example.someapp".

adb shell pm list packages

  • Look through the list of package names and try to find a match between the app in question and the package name. This is usually easy, but note that the package name can be completely unrelated to the app name. If you can't recognize the app from the list of package names, try finding the app in Google Play using a browser. The URL for an app in Google Play contains the package name.

2- Get the full path name of the APK file for the desired package.

adb shell pm path com.example.someapp

  • The output will look something like this: package:/data/app/com.example.someapp-2.apk

3- Pull the APK file from the Android device to the development box.

adb pull /data/app/com.example.someapp-2.apk

  • Finally the last step will extract the APK to your current path.
You could very well use APKTOOL Smali + resources from an APK file to achieve a different goal. This isn't only limited to these tool. One of the other very interesting tool used, was JADX which would allow you to recover partial Java code.

The presenter didn't only show what some developers are already aware of, but he went on to provide other resources to help developers protect their app with interesting methods. He started with an easy method called obfuscation, Making the code harder to read and understand makes it less appealing for people to steal or copy it. Sometimes, this isn't enough and more drastic measures are required.

Developers can also use a service called "ProGuard" which is to render to code more unreadable and more complex. In the event that this isn't up to the standard you do have a very advanced service called AndroGuard.

Exploring, developing and evolving your app, it's security and continuously moving forward is key.

Presentation slide Source