Tuesday, April 10, 2012

Is it really Impossible to Protect Android apps from Reverse Engineering?

As we know, Android apps are written in Java. In Java, no matter what you do , it is impossible to protect compiled code from decompilation or reverse-engineering, as the following thread suggests:

How to lock compiled Java Classes to prevent decompilation

My question is how one would go about protecting an app that contains algorithmic trade secrets from reverse-engineering?

By "how" I mean not only software techniques but also other creative approaches.

Source: Tips4all


  1. First stop for me would be to optimise and obfuscate the code with ProGuard which is known to work with byte code targeted at Android's Dalvik VM (via Dex). Its a really great tool and can increase the difficulty of 'reversing' your code whilst shrinking your code's footprint (in some cases dramatically: a recent applet of mine went from ~600KB down to ~50KB).

    Like others are saying you will never get 100% security of your algorithm's details whilst its implementation is being distributed to clients. For that you'd need to keep the code on your servers alone. Attempts to near 100% percent security for client code effectively amount to DRM and can make your client code fragile in the face of network outages and just generally frustrate (legitimate) users.

    Android developers blog has some useful articles on the matter of 'tamper resistant' Android apps (and they recommend the use of ProGuard as part of the overall approach).

    Edit: With regards to 'creative' approaches: some developers employ debugger detection techniques to prevent run-time analysis and combine this with encryption of portions of binary code (to deter static analysis), but to be honest a determined enough attacker can circumvent these, whilst it can cause legitimate user frustration as illustrated by this Windows KB article. My girlfriends 'Learn to drive' DVD software will not run under Virtualbox for this reason, but she blames Linux of course!

    OpenRCE and Wikipedia's article on obfuscated code may be good starting points if you want to look into this further. But be warned, you may lose more through over zealous use of these techniques frustrating your users than you would through loss of trade secrets by reverse engineering. Like Anton S says, maybe the most 'creative' approach lies with tweaking the business model rather than the technology.

    Edit #2 : The latest Android SDK update on 6th Dec 2010 (coinciding with Android 2.3 Gingerbread release) :

    Integrated ProGuard support: ProGuard is now packaged with the SDK Tools. Developers can now obfuscate their code as an integrated part of a release build.

  2. if it's a possibility: remote procedure calls to a well-protected server. (the server has the code you want to protect).

  3. make it so cheap to bother and don't build your business model on top of secrets that are executed on client side. In other words don't share your secrets.

  4. It is impossible to protect any client side code from reverse engineering. You can just use more or less efficient ways of obfuscating your code. And optimized x86 assembler happens to be a pretty good obfuscation.

    So if you have algorithmic secrets put them on the server-side.

  5. How to lock compiled Java Classes to prevent decompilation

    You can't. Any scheme can be defeated by someone with sufficient skills, time and motivation.

    (Incidentally, this also applies to software that is compiled to binary. The only difference is in the amount of effort involved in decompiling.)

    My question is how one would go about protecting an app that contains algorithmic trade secrets from reverse-engineering?

    Simply don't install the app on the user's phone. Or (more usefully), run the code that contains the trade secrets on a remote (properly secured) server.

  6. You can't protect your application completely, as there will always be someone who will crack it...

    However you could hinder them doing this by making your application free, or at least dirt cheap so people won't be bothered.

    Alternative, try to keep your Android application "dumb", as in keep all the secretive business logic on a backend server, and just have you app display data using some form of exposed service.

  7. no matter what you do - maybe at least you can make it very hard to decompile, but: if something gets executed/calculated in a program, the information about the algorithm has to be there, and there will always be a possibility to find out how to get that (enough skill and motivation on you opponents side assumed). always.

  8. I have my algorithm on a server and I invoke that service from my smartphone app. A perpetrator can reverse engineer my smartphone app to see my protocol with my server. I can protect my algorithm but I can not protect against unauthorized use of my service. I have to accept this reality without a solution. I have to be content that as long as I am making money with my own service, then I have to live with the potential of others siphoning my service.