How to Protect the Android Application? Security Recommendation
Nowadays, in the global network, the offshore android development, as well as security questions, are one of the most important. The huge amount of data every day hits the internet and every user by default wants to protect them. Applications and their creators aren’t exceptions. Due to this issue, we asked our dedicated developer about the main dangers and ways to defend the applications.
In our fast-moving world with new android mobile applications emerging every minute, lack of privacy, open information at every social platform, which all creates such a vast landscape for all the hackers of the world, surprisingly a lot of those Android applications at their start still forget about the security. Seems like the only developers who actually think about this are those of financial and payment apps.
As a result, we have the following situation: when the project is done it is uploaded to the Play Store. Hacker simply downloads APK file (APK is a package file format used by the Android OS) from the Play Store (e.g. via https://apkpure.com/ or some other tool). After that, he can decompile this APK (http://www.javadecompilers.com/apk is just one of the simplest ways) and Hooray! Hacker can see the whole project’s codebase. Even API endpoints (application uses HTTP requests to get information from the server) could be revealed.
Above you can see a simple guide to becoming a hacker. As you can see it doesn’t require a huge skillset. Any person who has access to the computer (which is most of the planet’s population) can do that.
Security Ways for Android Application Package
So how can we stop that from happening? Here is a list of the most common APK securing ways:
- Source code and resources/assets obfuscation. Fully unreadable sources after APK decompile so it’s impossible to do reverse engineering.
- Integrity control. APK certificate(https://developer.android.com/studio/publish/app-signing) checks, APK content checks. Hackers can’t insert malicious code inside APK file.
- SSL pinning. The application will only accept a single SSL(security technology for establishing an encrypted link between server and application) certificate which is pre-defined inside application. Environment checks(root detection etc.)
A few words about root detection. If you allow your application to be installed on the rooted device don’t forget to secure all the locally stored data(especially if it contains some user’s sensitive data) but It would be better not to store such data locally.
And here is an example of code obfuscation.
Without the security of the Android application, everybody can see something like that after APK decompile. We can see there all third-party libraries, configs, source code. All this information compromises the application.
public final class App extends MultiDexApplication implements HasActivityInjector, HasServiceInjector, HasBroadcastReceiverInjector { public static final Companion Companion = new Companion(); private static App instance; @Inject @NotNull public DispatchingAndroidInjector<Activity> dispatchingActivityInjector; @Inject @NotNull public DispatchingAndroidInjector<BroadcastReceiver> dispatchingReceiversInjector; @Inject @NotNull public DispatchingAndroidInjector<Service> dispatchingServiceInjector;
And let’s use one of the obfuscation tools(in this case it’s DexProtector). We will see only files with code and inside them the non-understandable code like below.
public class ProtectedApp extends Application { /* renamed from: h */ private static Object f0h; private static byte[] wvgjH = new byte[]{(byte) 14, (byte) -99, (byte) 30, (byte) -21, (byte) -79 ... private static volatile transient Object[] iv; public static boolean yz; public ProtectedApp() { f0h = this; } private void Dlxgrphex(File file) { String engineWrap; String engineWrap2; switch (Hkg()) { case 1: engineWrap = engineWrap("䎫ぐﰚ樒組澼嬈촳〤?"); engineWrap2 = engineWrap("ᾍ끡᭧ᘲ㰂樃霽磾┓"); break; case 2: engineWrap = engineWrap("‑黯鄟묬郼潹㼝瞧ꍍⴰ"); engineWrap2 = engineWrap("ᾍ끡᭧ᘱ㰇橛霽磰╉욀몇"); break; case 3: engineWrap = engineWrap("尫ȡꩨݸ눱゚ᩧ嬟뱔"); engineWrap2 = engineWrap("ᾍ끡᭧ᘱ㰇橔霽磰╉욀몇"); break; case 4: engineWrap = engineWrap("˽?쳃㩎蝀ﺴ퉰≄䬴?策ի"); engineWrap2 = engineWrap("ᾍ끡᭧ᘱ㰇橛霽磰╉욀몇"); break; case 5: engineWrap = engineWrap("㊽㚶쿀軳䢑鄂趃퉥䢙䊣䷊"); engineWrap2 = engineWrap("ᾍ끡᭧↑મᙃ㱇橘霽磰╉욀몇"); break; default: throw new IllegalArgumentException(); } InputStream open = getAssets().open(engineWrap2); OutputStream inflaterOutputStream; try { inflaterOutputStream = new InflaterOutputStream(new FileOutputStream(file)); jvhjscGDD(engineWrap, open, inflaterOutputStream); inflaterOutputStream.close(); open.close(); } catch (Throwable th) { open.close(); } } private int Hkg() { String str = Build.CPU_ABI; String str2 = SystemProperties.get(engineWrap("發䗃秐쓳睅봳䊰媟鵱䪱ༀו곌螺벝쏲"), ""); String str3 = engineWrap("登䗂禕쓭睘봫䊺").equals(str2) ? str : str2; if (str3.startsWith(engineWrap("癯䗞禓쓦睖봾䊽媊鴲"))) { return 2; } if (str3.startsWith(engineWrap("癯䗞禓쒵眃뵱䊢媝"))) { return str3.equals(str) ? 3 : 2; } else { if (str3.startsWith(engineWrap("癯䗞禓쓦睖봾䊽"))) { return 1; } if (str3.startsWith(engineWrap("癶䖔秈쓜省뵨"))) { return (str3.equals(str) || str.startsWith(engineWrap("癯䗞禓쒵眃뵱䊢媝"))) ? 5 : 4; } else { if (str3.startsWith(engineWrap("癶䖔秈"))) { return 4; } throw new IllegalArgumentException(engineWrap("癍䗼禫쒹眗") + str2 + engineWrap("瘢䖌禓쓬睓봹䋮") + str); } } } private void cv() { File file = new File(getDir(engineWrap("⎽稩鈑辠訟"), 0), engineWrap("⎾稿鈑辠訟䥭ᆗ褂刔蘍ᑪ濃㥔◖藼៚䢙柔t둇魀ܡ") + Process.myPid() + engineWrap("⏼稲")); try { Dlxgrphex(file); System.load(file.getAbsolutePath()); } finally { file.delete(); } } ...
Besides, it’s very easy to access another application’s data on Android OS. If you are completely new to the topic of security, you can take a look at a go-to guide with some really useful tips here https://developer.android.com
Tools for Android Application Security
If you want to protect your android application we prepared for you a few tools with a quick overview which can help you with this task:
- ProGuard(built-in) – is an open-source command-line tool that does very simple code obfuscation;
- DexProtector, DexGuard, etc. – paid tools with lots of functionality including security ways that were mentioned above.
In conclusion, we would like to say that project security should not only be on the mobile developer’s shoulders. The whole team should be involved and you need to find android developers in case of staff shortage! P.S. Don’t forget to add checking application protection to the QA’s checklist (at least to decompile APK).
Protect Your Business with Mobilunity
The demand for hiring coders to protect businesses is high. Experienced programmers who work in the security sector may offer their services. Mobilunity may help you get a dedicated team that understands the needs and goals of the business and assist you with your needs, whether its hiring insurtech developers, legacy application modernization or cybersecurity.
Let all of your applications be secure!
All salaries and prices mentioned within the article are approximate NET numbers based on the research done by our in-house Recruitment Team. Please use these numbers as a guide for comparison purposes only and feel free to use the contact form to inquire on the specific cost of the talent according to your vacancy requirements and chosen model of engagement.