Android developers love the open nature of Android platform. It empowers them to develop groundbreaking apps. But, there is dark side of it too, and only few people know it. People today are discovering different ways for Android reverse engineering of APKs, and that’s bad for any app business.
Android apps are always vulnerable because Android apps cannot render its code to machine code. This means, it could lead app to extraction. And, the vulnerable code could be used for variety of reasons such as freely available of in-app purchases, decrease in security, and so on.
These are the common reasons why people decompile Android app, and you can imagine the damage they can put you through with apk reverse engineering. In fact, security can be top-most concern for any app business when an Android app deals with finance or healthcare data.
Though, a good Android app development company can never go behind their clients back and make similar app for client’s rivals. But, there is still possibility of leaving names inside comments to extract the information of agency or freelance who developed the Android app.
Take a look at following tweet to understand the seriousness of Android reverse engineering.
See how easy it is to decompile apk to source code?
So the question is, how would you stop anyone from reverse engineer apk of your Android app?
Put Important Code on Server
Probably, you have already heard of this. When you put your important code on server, it reduces the chances of getting your source code stolen, as the main code will remain on the server and only results can be seen.
But, what if there are millions of users going to use your Android app? An average server won’t be able to handle it. You’ll need to have a server farm. But, still, what about the cost?
A server farm is a huge expense, and it’s not viable solution for everyone. Moreover, if there is an issue of poor network connectivity, your Android app users will be frustrated and your client is more likely to lose business.
However, there is a better and inexpensive solution too. Suppose there is block of code that you don’t want to let out. Keep that block of code in a hardware that you control. This will make the extractor’s job painful to get your apk source code.
And, to add more security, you could add double obfuscation to combat any middle attacks.
What else you can do to avoid Android reverse engineering?
Proguard is an obfuscation tool that is useful for safeguard applications using a licensed server. The tool helps to increase the difficulty of reversing your Android app APK code.
A commercial version of Proguard is also available named as Dexguard. Dexguard goes extra mile in the matter of security and increasing difficulty. Though, you code could always be converted into smali, which is useful for developers to figure out what you do with it. But, again, if you don’t want people to see your code, don’t put it in their devices.
There are, of course, other ways to make Android reverse engineering harder, but the above two are the most effective among all. And, if you’ve such idea to protect Android app source code, we’d like hear them in comments.