I'm trying to learn new android methods.Before I develop new android application, I'm searching published applications.
If I decompile my application's apk, class names and objects names remains same
But If I decompile application that is in market, class and object names contains letter. That is why I don't understand what programmer did in code.
Do they encrypt the code?
any way to decrypt it?
The apks were probably obfuscated with proguard. If it's your app, disable obfuscation.
As for why apps on the market do it, it's so you can't do what you're doing now and decompile to (coherent) source. As far as I know there is no way around it, and it would be unethical to try do so. We're software developers here, so we won't help you take another developers work from them.
They obfuscated the code. Obfuscation is an automatic process which renames all classes/methods/fields with short sequential names, removes unused classes/methods/fields, and sometimes encrypts strings.
There is no easy way to deobfuscate the code.
Related
I release a new java based Game Maker Studio extension having spent many days putting it together.
Few downloads later someone decides it nice, they get your extension and the code and make their own copy/version and sell it on marketplace for much lower price. As I beleive the java code in the extensions is easily exposed.
So whats stopping people from copying and undercutting you?
I suppose you can obfuscate your code, java etc..
But thats not really hard to still copy and alter.
What else is there. I was thinking of wrapping the class into a jar file (mind you I know nothing about this) and then importing those and just referencing the functions/methods in the extensions .java file. Is this possible if so id like to know how.
I have looked at this answer provided here, and here, and here
The answers provide some useful information but I wanted to know if there are better ways to do it.
I have built my apk and I used pro guard, but when i decompiled the apk, everything was the same as they were before the compression.
The name of the classes and some variables were obfuscated but a Newbie could have looked at the code and would understand how the app works.
In my app I want to hide the core network communication between the app and the server. For example, the address of the server, the JSON format etc.
I came across something as way to protect from decompilation is putting the java.class files into jars and then signing them and then add them as a library to my app.
My question is:
Is it the correct way to do it ie. using the jar signing ?
No. Jar signing is used to make sure the file isn't tampered with. You can still decompile it.
Rather than wasting time worrying about decompilation, you should concentrate on something useful. Obfuscation is used to save space in Android, not to prevent people from looking at your code. Besides, did you really create something so special that you need to protect it? (Be honest now)
Is it possible to set the java decompiler to return everything it finds during the process? I have a game I have been working on for a little over a year, I am still pretty new to java and have been beating my head against the keyboard and api documentation to produce this game. I come home from a business trip and find that my house has been broken into and my workstation is gone. I still have my keystore because I keep it on a flashdrive for safety. I also keep my project files on a flashdrive, which I did not remove from my workstation before leaving on my trip. I have tried to use every .apk decompiler I can find to recover my source code. They all return some code but of course because of proguard almost all of it is unusable. I have a copy of my signed .apk on my phone for testing purposes and it is debuggable, is there anyway to recover all of my project files from this? Like setting the java decompiler to very verbose, or a different setting that will produce a 1:1 copy of each file reguardless of if the decompiler thinks it is relavent?
Edit: I have used dj java decompiler, androchef decompiler and the decompiler # www.decompileandroid.com which is just a script that is run on their server to use the standard tools included in eclipse adt package for developing android applications.
I used to deobfuscate Java applications for a hobby and have worked on several decompilers, so if you send it to me, I might be able to help.
That being said, there are some things that are simply impossible to fix. You're never going to get back anything that isn't present in the compiled apk because it's impossible to recover information that isn't there. Among other things, this includes comments, original source code formatting, and compile time annotations. The obfuscation step will also strip out class names, variable names, unused methods, etc.
One other thing to try is to see if there's any possible way that a non obfuscated version of apk survived. Did you ever upload your files anywhere else?
I recently found that the databases of Android apps are totally exposed. That said, my configuration is exposed, I save there passwords.
So, now my doubt resumes on java code.
String value = "example";
This could be an example where I store a password to pass by reference to webservice.
People, with some kind of software (like this example Is there a way to get the source code from an APK file?) could be able to get all the code? (I tried to follow the steps without success)
I read about http://developer.android.com/tools/help/proguard.html, how do I know that it's already implemented in my project?
When you create an Android project, a proguard.cfg file is
automatically generated in the root directory of the project.
I checked my root directory and I don't have that file.
Thank you guys.
Obfuscation does not guarantee that your code won't be de-compiled. people who get your apk will still be able to review the code (although the flow of the app will be significantly more difficult to understand). Function names, variables and class names are changed but the code is still viewable.
password and other sensitive information should be kept in Android's keychain , where it's protected. never save passwords in a configuration file (preferences file).
You can look into encrypting your local database with sqlcipher. Proguard obfuscates code but will not hide your passwords if you have them hardcoded anywhere, it is not a tool to be used for security[reference]. Also all of your network traffic is vulnerable unless you use some sort of TLS.
As you describe your app now it is trivial to get the passwords in your app.
You can use char[ ] instead of string data type for storing sensitive values like password. This will make it difficult to recover if someone takes memory dump as value is not present string literal pool if used char[] data type.
PRODUCT_PACKAGE_OVERLAYS is good. But it's used for some kind of resource. We maintain many Android projects. In reality, not only resources but also java code varies from device to device. Java is not C, it doesn't support MACRO. So it's hard to keep all modifications in just one code copy. I need something like PRODUCT_PACKAGE_OVERLAYS which can override the java code in the main tree by a file with the same name from somewhere else. Is that possible? Or can you guys share the ideas about how you manage multi android projects source code?