Do you know following things
about Android?
Who can see
application's code?
If not properly protected – just about anybody can!
Android applications are run client-side, which means that the actual code
for the application is downloaded onto the user's mobile device.
|
|
What they can see
if not protected?
If not properly protected, decompiled code can potentially
reveal usernames and passwords to back-end databases. This means that anyone
could have access to your sensitive data.
|
|
How did they do it?
Through a process called 'de-compilation', hackers can use
simple tools to reverse engineer your app, reproducing the original source
code.
|
|
Mobile app development and IT services company RIIS has released a new
security tool designed to prevent Android de-compilation by hackers on mobile
devices.
HoseDex2Jar
is similar to HoseMocha which
appeared in the late 1990's. Like HoseMocha,
HoseDex2Jar is a simple tool that adds some instructions to the classes.dex file that Dex2Jar can not
process. HoseDex2Jar is currently available on http://www.decompilingandroid.com.
Developers can take steps such as using tools like ProGuard to obfuscate their code, but up
until now, it has been impossible to prevent someone from decompiling an app,”
said Godfrey Nolan, RIIS president. ”We realized if there was a way to
stop Dex2Jar, we would stop all Android de-compilation. HoseDex2Jar does
just that. It stops Dex2Jar by inserting harmless code in an Android
APK that confuses and disables Dex2Jar and protects the code from de-compilation.
“To crack an Android app, hackers can download the app on another machine
(e.g., Mac) and run a tool (e.g., apktool)
to unpackage the app and disassemble its Dalvik bytecode,” the report notes.
Dalvik is the process virtual machine in Google Android's operating system.
“They analyze the disassembled code or use tools (e.g., dex2jar and a Java
de-compiler) to decompile Dalvik bytecode to Java source code and analyze the
source code,” the report continues. “They can make changes to disable license
checks (or other modifications) and repackage the app and resign it.”
According to RIIS, the new tool represents a step forward in protecting
applications from this kind of behavior.
White Paper published by RIIS at http://decompilingandroid.com/Code_Audit_White_Paper.pdf
Download source code at GitHub.