Safety is an essential part of any product’s quality. Unfortunately, in the high-tech
The first thing we worry about is personal data safety. However, someone may also wish to hack it (device, program, software) in order to understand the principle of its operation and adopt ideas, or even completely reproduce the application. This practice is called reverse engineering and is used in many areas, including electronics and even the military industry.
With respect to Android, reverse engineering is the process of extracting source code and resources from an APK (Android Package Kit) file. The APK of the target application can be removed from the phone by using ADB (Android Debug Bridge) or downloading from the Google Play Market.
Decompiling an APK file is not a difficult task. Through the decompilation of APK and the conversion of dex files to jar files and then to Java source code, hackers can acquire the source code of your app.
The fact is, it is almost impossible to completely protect a mobile app from reverse engineering and ensure its complete safety.
Nevertheless, here at
1. Using ProGuard
To provide mobile application security from reverse engineering we can use the ProGuard tool, designed to reduce,
- analysis and
optimisationof bytecode methods;
- detection and removal of unused classes, fields, methods
- renaming of other classes, methods
andfields using short, meaningless names.
These actions reduce the code base, making it more efficient and at the same time difficult to decrypt. At the final stage of the preliminary verification, information is added to the classes required for Java Micro Edition, Java 6, etc.
It is worth noting that obfuscation can be canceled with a deobfuscator. In this
2. Moving Important Parts of the Code to the Server
Speaking of other effective methods, we also move the most important parts of the service from the mobile application to a web service hidden on the server side.
Imagine that you have a unique algorithm.
3. Writing Important Code in C / C ++
We sometimes use NDK (Native Development Kit) to write algorithms originally in .so files, which are much less likely to be decompiled than APK. In addition, we use SSL (Secure Sockets Layer) protocol when communicating between the device and the server.
Although it can be parsed into assembly code, the process of reversing the engineering of a large library from the assembly is quite laborious. In terms of security, compared with C / C ++, Java is easier to decompile.
4. Do not store values in an unprocessed format
Next, when storing the values on the device, we do not use the raw format. If we need to maintain the user's balance (the amount of the application currency) or other values, we usually store the values encoded (for example, store them in the form of an algorithm).
5. User Credentials
The next step towards your mobile application’s security relates to user account data.
- First, we try to
minimisethe frequency of requests for user credentials in the app. This will help make phishing attacks more visible and reduce the likelihood of their success. In this case, we recommend using the authorisationtoken (and regularly updating it).
- Secondly, the name and password should not be stored on the device (where possible). We always advise performing the
authorisationprocess with a username and password and using the authorisationtoken.
If you need to allow users to store their credentials to automate future
Although it is almost impossible to guarantee 100% security of the application from reverse engineering and other threats, here at Magora, we do everything possible to protect your data. Here is the general list of recommendations to provide the highest level of security for your mobile app:
- Inform programmers about security issues.
- Factor security into the architecture.
- Perform an audit of the code.
- Apply compiler-related security settings.
- Control the distribution of the app on the Internet.
- Update regularly.
If you want to know more about the security measures we take or if you need a highly protected mobile app for business, our team is always ready to answer all your questions.