Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
866 views
in Technique[技术] by (71.8m points)

security - Prevent decompiling android apk

I'm creating an app for android and ios, and i already know that it's theoretically possible to decompile an android app. The app contains sensitive information that i don't want users to have access to as the app interfaces with a webserver. If a user gained access to some information available in the source code, they could potentially spam my web server with requests.

Is there any way to authenticate a connection between the app and the server, assuming that the source code is accessible, or is there any way to obfuscate my code to prevent a malicious user from spamming my webserver.

Thankss

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

[UPDATE]

**

When you build your application using Android gradle plugin version > 3.4.0, the plugin chooses R8 to optimize and obfuscate the code. The rules can now be configured on proguard-rules.pro or proguard-app.conf files. the rules to indicate what to exclude from the obfuscation are similar to the ones in proguard.cfg used earlier.

You can import your proguard files in your build.gradle like

buildTypes{
  ...
  release{
      proguardFiles getDefaultProguardFile(
                'proguard-android-optimize.txt'),
                'proguard-rules.pro'
  }
}

R8 picks up all the existing proguard rules files as long as they're included in the build.gradle. You can also configure what pieces to obfuscate for different product flavors that you may have.

**

[OLD BUT RELEVANT INFO]

Proguard is a tool that will help you obfusate your code. This comes as part of your android tools and you just need to activate it. This link and this will help further.

Proguard's default configuration (in proguard.cfg) will be enough to sufficiently obfuscate your code. However you might want to tweak your proguard configuration when you have methods/classes that are being dynamically accessed.

  1. For instance, accessing classes/methods with Reflection will need you to have the code to be intact. You might sometimes experience ClassNotFoundException if proguard obfuscates it.

  2. If you have classes that are being accessed in the AndroidManifest/ Layout Files, you should prevent proguard from obfuscating them.

This can be done by adding

-keep public class <MyPackage.MyClass> 

to your proguard.cfg.

**

While Proguard makes static analysis harder, DexGuard protects from both static and dynamic analysis. DexGuard is specifially for android applications and is only commercially available while Proguard is open source and is for any java bytecode obfuscation / optimization.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...