EvilZone
Hacking and Security => Mobile Hacking => Android => : Axon January 17, 2013, 12:34:34 AM
-
Just found this article while browsing some hacking related sites,
http://rajhackingarticles.blogspot.com/2013/01/android-reverse-engineering-see-source.html
-
Yeah i can confirm this. Google sucks at protecting the application. So if you want to be sure people pay for your app. You better get going to implement licensing systems and crypted/obfusticated code.
-
It is not entirely Google's fault. Android is an open platform running Java applications so if you have root access to your phone it's normal you can find the app .apk. Since it's java it is also normal you can "decompile" the code without too much trouble (android or desktop application). Where Google could do something is encrypt the file .class files a second time during the .apk packaging phase but I guess they had some reasons to not do it. After all if your phone is not rooted you don't have access to the apk files.
-
It is not entirely Google's fault. Android is an open platform running Java applications so if you have root access to your phone it's normal you can find the app .apk. Since it's java it is also normal you can "decompile" the code without too much trouble (android or desktop application). Where Google could do something is encrypt the file .class files a second time during the .apk packaging phase but I guess they had some reasons to not do it. After all if your phone is not rooted you don't have access to the apk files.
not exactly. You don't need root to extract apk filles. There is no need to root your phone to get the apk files.
-
It is not entirely Google's fault. Android is an open platform running Java applications so if you have root access to your phone it's normal you can find the app .apk. Since it's java it is also normal you can "decompile" the code without too much trouble (android or desktop application). Where Google could do something is encrypt the file .class files a second time during the .apk packaging phase but I guess they had some reasons to not do it. After all if your phone is not rooted you don't have access to the apk files.
You can download APKs off the internet no problem
-
You can download APKs off the internet no problem
haha...
he meant that someone has to root to get the apk.
On the net sometime had to root his phone, extract apk and upload it :P...
You don't need to do that. Apk can be extracted without root.
-
Learned something today. I have no idea why I was sure root was needed to extract apk files. Guess it is the programmers task to obfuscate the code then even though you probably won't get 100% working code using the technics in that article.
-
That's where ProGuard comes in to obfuscate that code. And it sure makes it hard to read... also decompiled APK's never contain the full code in Java or XML format, and it is hard to make a compilable project again from what you decompiled...
And that blog post didn't say anything magical. He just ran dex2jar and that is it - there are many more techniques and software...
-
it is hard to make a compilable project again from what you decompiled...
If you just modify a single class to enter some malicious code, it is not that hard. You just have to recompile the files you actually changed.
I also recompiled a whole project once, because I had to embed it in an application and it was full of System.exit() calls that closed my program too. It took me about two hours to remove the calls and the errors from decompiling.
-
If you just modify a single class to enter some malicious code, it is not that hard. You just have to recompile the files you actually changed.
I also recompiled a whole project once, because I had to embed it in an application and it was full of System.exit() calls that closed my program too. It took me about two hours to remove the calls and the errors from decompiling.
But you get whole Java code only if you're lucky. Some blocks of code get written as weird ASM instructions. I don't think Java can compile such stuff... or am I wrong?
-
How about NDK? How would that work in terms of being decompilable?
-
But you get whole Java code only if you're lucky. Some blocks of code get written as weird ASM instructions. I don't think Java can compile such stuff... or am I wrong?
Mh, usually bytecode can be decompiled without any problems. If there are ASM instructions, it means that you didn't have only bytecode to decompile.
I just assumed that android would use the bytecode, but I may be wrong at this point.
-
But you get whole Java code only if you're lucky. Some blocks of code get written as weird ASM instructions. I don't think Java can compile such stuff... or am I wrong?
not possible, at least it does not seem so.
Java code is meant to run on different architectures where each has it's own jvm, which converts the bytecode to executable code.
if you get ASM instructions then how will that code run on different machines?(with different instruction set or opcode) Java code cannot have asm code if it is supposed to be cross platform.
-
Kewl, can't wait till I get home.
Thx for the share!