So you’ve just made an Android application. One that took you ages to complete and something that you feel proud of. What is going to stop someone from stealing your logic and source code? How easy is it to obtain? The short story is that your source code is not safe by default and it is very easy to obtain.
This tutorial is going to be broken up in two parts.
- Extract the source code from a native Android application
- Extract the source code from a hybrid Apache Cordova / Ionic Framework / Phonegap application
Both are designed differently, but the source code is just as easy to access. For each of these application types, you will see how to better protect your code using obfuscation practices.
NOTE: Do not use this tutorial to do malicious things. Developers work hard on their applications, so please do not take advantage of them. Use the information found here to better protect yourself from malicious users.
1. Extracting the source from a native Android application
The source code of a native Android application is not difficult to obtain, but it does require extra tools that are compatible with Windows, Mac, and Linux. My personal favorites when it comes to tools are dex2jar and JD-GUI.
If you’re unfamiliar with these tools, dex2jar will read Dalvik Executable files and convert them to the standard JAR format. JD-GUI will read JAR files and decompile the class files found in them.
To make the extraction process easier to understand, let’s start by creating a fresh native Android project:
The above command will leave you with an Android project in your current command prompt path.
Since our project has an Activity class already included, lets jump straight into the build process. You can give me a hard time all day long about using Ant instead of Gradle or Maven, but for this tutorial I’m going to stick with it.
The above command will create a debug build typically found at bin/TestProject-debug.apk. If you want to know more on building native Android projects, you can check out my previous post on the topic.
Using your favorite unzip tool, extract the APK file. 7-zip is a popular tool, but if you’re on a Mac you can just run the following from the Terminal:
This will leave us with a bunch of files and folders, but one one is important to us. Make note of classes.dexbecause it contains all of our source code. To convert it into something readable we need to run dex2jar on it. You can use dex2jar on Mac, Linux, and Windows, but I’m going to explain from a Mac perspective.
With the classes.dex file in your extracted dex2jar directory, run the following from the Terminal:
Open the JD-GUI application that you downloaded because it is now time to decode the JAR and packaged class files. Open the freshly created classes_dex2jar.jar file and you should see something like the following:
See how easy it was to get to the source code of your native Android APK? Now what can you do to better protect yourself?
The Android SDK ships with Proguard, which is a obfuscation module. What is obfuscation you ask?
Obfuscation via Wikipedia:
Obfuscation (or beclouding) is the hiding of intended meaning in communication, making communication confusing, willfully ambiguous, and harder to interpret.
While obfuscation will not encrypt your source code, it will make it more difficult to make sense of. With Proguard configured, run Ant in release mode and your code should be obfuscated on build.
2. Extracting the source from a hybrid Android application
The source code of hybrid applications are by far the easiest to extract. You don’t need any extra software installed on your computer, just access to the APK file.
To make things easier to understand, lets first create a fresh Apache Cordova project and then extract it. Start by doing the following:
You’re going to be left with platforms/android/ant-build/CordovaApp-debug.apk or something along the lines of platforms/android/ant-build/*-debug.apk.
You just saw how depressingly easy it is to get hybrid application source code. So what can you do to better protect yourself?
You can uglify your code, which is a form of obfuscation.
Doing this will not encrypt your code, but it will make it that much more difficult to make sense of.
If you want to uglify your code, I recommend you install UglifyJS since it is pretty much the standard as of now. If you prefer to use a task runner, Grunt and Gulp have modules for UglifyJS as well.
We just saw how strikingly easy it is to get native and hybrid Android source code. There is no way to encrypt your code or make it impossible to break into. If someone is willing enough, they’ll find what they want. You can however, obfuscate your code and make it more difficult for a malicious user to obtain your source code.
Moral of the story here is don’t store sensitive information in your application such as hard coded passwords.