Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reverse Engineering & Secure Your Android Code

Ngalam Backend Community
November 25, 2019
Technology
1
1.3k

Reverse Engineering & Secure Your Android Code

Ngalam Backend Community

November 25, 2019
Tweet

More Decks by Ngalam Backend Community

See All by Ngalam Backend Community
Web_Scraping_with_Scrapy.pdf
ngalambackend
0
71
Introduction to Flask
ngalambackend
0
98
Achieving API Performance and Scalability
ngalambackend
0
59
Interfaces in Go
ngalambackend
0
48
CSS in JS in action
ngalambackend
0
38
Productive Remote Working with Scrum
ngalambackend
0
57
Covid Tracker Kota Malang
ngalambackend
0
55
Supercharge Local Development with Docker
ngalambackend
1
92
Building Scalable and Flexible API by Leveraging GraphQL and BigTable
ngalambackend
1
280

Other Decks in Technology

See All in Technology
Java EE/Jakarta EEの現状と将来 ―クラウドネイティブ時代にJava EEは対応できるのか?―
takakiyo
1
150
Meta Quest 3 で動く桜マシマシ WebXR アプリを IBM Cloud Code Engine と Babylon.js で作った話
1ftseabass
PRO
0
120
Postman v10リリース後を振り返る / Looking back at Postman v10 after release
yokawasa
1
160
「スニダン」開発組織の構造に込めた意図 ~組織作りはパッションや政治ではない!~
rinchsan
3
560
レガシーをぶっ壊せ。AEONで始めるDevRelの話 / Qiita Night 2024-2-22
aeonpeople
3
1.3k
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
240
生産性向上チームの紹介
cybozuinsideout
PRO
1
870
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
350
VS CodeでAWSを操作しよう
smt7174
8
1.6k
On Your Data を超えていく!
hirotomotaguchi
2
670
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
4
910
現代CSSフレームワークの内部実装とその仕組み
poteboy
7
3.6k

Featured

See All Featured
Writing Fast Ruby
sferik
621
60k
For a Future-Friendly Web
brad_frost
172
9k
The Language of Interfaces
destraynor
151
23k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
14
1.6k
Designing with Data
zakiwarfel
96
4.8k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Agile that works and the tools we love
rasmusluckow
325
20k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
21
1.6k
Documentation Writing (for coders)
carmenintech
60
3.9k

Transcript

  1. Reverse Engineering & Secure Your Android Code Otniel Victory

  2. Reverse? Reverse engineering is the process of understanding how things

    work and reusing the information to do something. Ketika apps sudah di publish di playstore = semua orang bisa melakukan apapun
  3. None

  4. Aplikasi Mod adalah salah satu produk dari reverse engineering yang

    melakukan perubahan pada code aplikasi asli untuk tujuan tertentu. ex : mod spotify, whatsapp, vsco gratisan dll Aplikasi Mod ? How it could be?

  5. Step Sederhananya Android App.apk Decompile Get Source Code HTML, CSS,JS

    Action Recompile New Android App.apk

  6. Get Android APK File 1. Pakai aplikasi backup di smartphone

    2. Download langsung di google search

  7. Decompile Tujuan umum Decompile => proses merubah paket aplikasi (.apk)

    jadi source code yang bisa dibaca manusia Read another’s code Find vulnerabilities in the code Search for sensitive data hardcoded in the code Malware Analysis Modifying the functionality of an existing application tujuan kali ini hanya untuk education (karena decompile bisa menjadi hal yang ilegal bila digunakan untuk membuat app tiruan, mencuri algoritma dll)

  8. Decompile Beberapa tools untuk decompile : 1. APK Tool 2.

    Dex2jar & JdGui 3. APK Studio 4. Online decompiler 5. JADX

  9. Decompile Cara decompile dengan JADX 1. install JADX = https://github.com/skylot/jadx

    2. buka JADX GUI 3. open .apk file 4. u got the code

  10. Yang Didapat Dari Decompile dengan JADX 1. Asset (icon,drawable,custom asset)

    2. Layout (.xml) 3. Value (Color, String, Style) 4. Setting Android Manifest 5. Java File (sometime susah dibaca) 6. Other Note : Hasil tergantung setting yang dilakukan developer saat build aplikasi

  11. Gimana biar 100% aman? Nggak Ada

  12. 1. Aktifkan ProGuard / R8 Android Build Gradle < 3.4.0

    use ProGuard Android Build Gradle > 3.4.0 use R8

  13. Kenalan sebentar sama proses compile di android

  14. ProGuard or R8 Android Build Gradle < 3.4.0 use ProGuard

    Android Build Gradle > 3.4.0 use R8 Code shrinking Why u should proguard or r8 : removes unused classes, fields, methods, attributes, library Resource shrinking removes unused resources Obfuscation shortens the name of classes and members ex : androidx.appcompat.app.ActionBarDrawerToggle.DelegateProvider -> a.a.a.b String nama_ayam = “ayam betutu” -> String z = “ayam betutu” Optimization inspects and rewrites your code

  15. How to config Keuntungan tambahan, file size lebih kecil

  16. Kenapa disarankan pada buildType Release Build Time R8 true R8

    false

  17. Perbedaan Ketika Di Decompile

  18. 2. Jangan Hardcode Many such APIs comes with subscription plans

    and can be accessed using API keys which we get during the subscription process Masih sering terjadi di negara +62 developer menulis langsung secret key pada appsnya 2.1 Storing keys in the native C/C++ (existing apps) 1. Create folder jni on main menyembunyikan, bukan menghilangkan

  19. 2. create Android.mk inside jni 3. create file Application.mk inside

    jni

  20. 4. Create keys.c

  21. 5. get the key

  22. 6. tambahkan pada build gradle

  23. tapi ini juga punya kelemahan, bisa ditemukan jika yang mencari

    benar2 jeli

  24. 2.2 Storing keys in cloud bisa pakai firebase, atau cloud

    sendiri (untuk apps yang harus online) 3. Don’t store raw format ex: saved Coin on SharedPreference Daripada save langsung var coin = 300 mending save 1,208 didapat dari (coin/2+1)/125

  25. 4. Put Logic on BackEnd Sebisa mungkin kurangi logic pada

    front end (android) pilih menu, saat button `Beli` ditekan ada validasi if (harga < saldo) { pindah halaman }

  26. Better rule

  27. 5. Bayar DexGuard https://www.guardsquare.com/en/products/dexguard

  28. None

  29. NOTE : 1. Jika app error setelah penerapan R8 (kode

    yg digunakan ternyata dihapus) gunakan -keep public class MyClass pada file proguard-rules.pro cara melihat code yg terhapus r8 Link 2. Resource Shrinking hanya dapat dilakukan bersama dengan penyusutan kode, jika ingin mempertahankan resource agar tidak dihapus bisa mengakses Link 3.

  30. Pustaka https://www.guardsquare.com/en/blog/comparison-proguard-vs-r8-october-2019-edition https://developer.android.com/studio/build/shrink-code#enable https://developer.android.com/studio/build/shrink-code#shrink-resources https://developer.android.com/studio/build/shrink-code#shrink-code https://medium.com/@abhi007tyagi/storing-api-keys-using-android-ndk-6abb0adcadad https://developer.android.com/ndk/guides/android_mk.html https://developer.android.com/ndk/guides/application_mk.html