Android apk reverse engineering is always the problem for Android Developers. Due to the open-source nature of Android ecosystem makes it possible to reverse engineer the Android apk. There are certain tools available online that makes decompilation of apk possible to retrieve the source code/project files from it. Well, we will see here one of the way in this article to understand how decompilation works and later learn on how you can avoid getting your apk from being reverse engineered.
Reverse engineering of Android apk files can lead to great loss to developers and the companies. Hackers can take the great advantage of this technology. In past lots of Android users have became the victim of Fake Android Prisma app surfacing on the Google Play Store. Prisma fake app was exactly pretend to be the original one. What they can do is, achieve the source code from the apk and alter the code for the malicious purpose and deploy or trick the users to download the malicious app. It is kind of that every effort made by the developer to build the app is available to everyone for free.
How Android apk can be reverse engineered
Android programming is based on java. There are lots of Java decompilers available online which can help in decompiling the java based Android apk file. As Java JVM (Java Virtual Machine) for compilation & interpretation, Android use Dex compiler that converts the class files into .dex file and .dex files are executed on DVM (Dalvik Virtual Machine).
- To reverse engineer an apk, all you need to have the apk file.
- Download dex2jar decompiler tool from here and extract it.
- Convert your xyz.apk to xyz.zip. Change the extension from .apk to .zip and extract it. In the extracted files, find classes.dex file
- Copy and paste the classes.dex file to the extracted dex2jar directory
- Navigate to command prompt and set the path to dex2jar directory using cd command in windows
- Execute the command d2j-dex2jar.bat classes.dex from your command prompt
- After successful execution open dex2jar directory and your jar file will be ready. It could be named as classes_dex2jar.jar in the directory.
- To read the classes from jar file, you need to download java decompiler tool that is jd-gui from GitHub
- Open the classes_dex2jar.jar file in java decompiler tool to extract the classes from jar file
This is only for the educational purpose and to give idea to the developer about how decompilation works.
—Recommended 7 Android Nougat features worth Exploring
—Recommended 7 Lesser known Google apps
Here, you successfully achieve the Android apk code. This is how hacker can fetch the source code from the apk file and alter the source code for achieving the malicious purpose. After alteration of code, he can recompile the code back into Android apk. Also, anyone can see the logic and come up with the changes as the competitor. This is one of the ways to reverse engineer the app, but there are many tools available to do so. Well, there are certain ways to avoid this major problem of Android apk reverse engineering. Let’s explore the certain ways to avoid Android app from being reverse engineered.
How to avoid Android apk from being Reverse Engineered
There is no exact way to avoid apk from being reverse engineered. But you can manage to obfuscate the code to make it harder for anyone to reverse engineer it.
- Use tools like ProGuard to obfuscate the code, which makes harder to reverse engineer Android apk. It is free to use. DexGuard (Extended version of ProGuard) is the commercial version that provides advanced security to protect android applications.
- Encrypt your resources. Use algorithms for calculations instead of raw values.
- Use pre-compiled native library written in native language like C, C++. You can use & implement native library using Android NDK. Code written in native is hard to decompile
- Store your important resources on Web server & fetch them as required
- Avoid using raw/direct values instead use referenced values
Sometimes, instead of actual code it is converted to smali. Smali is an assembler for the dex format used by dalvik. Experienced reverse engineer can also find the way from it.
These are the ways to makes reverse engineering harder. Obviously these are the few, but if you know than do share with us via comments and help in bringing more awareness. Keep sharing. Stay tuned to Tech Tunes.
Follow me on Twitter