0

I have looked at this answer provided here, and here, and here

The answers provide some useful information but I wanted to know if there are better ways to do it.

I have built my apk and I used pro guard, but when i decompiled the apk, everything was the same as they were before the compression.

The name of the classes and some variables were obfuscated but a Newbie could have looked at the code and would understand how the app works.

In my app I want to hide the core network communication between the app and the server. For example, the address of the server, the JSON format etc.

I came across something as way to protect from decompilation is putting the java.class files into jars and then signing them and then add them as a library to my app.

My question is: Is it the correct way to do it ie. using the jar signing ?

Community
  • 1
  • 1
john doe
  • 157
  • 1
  • 10
  • 1
    Hiding the server address doesn't sound like real security. Even if the address was not visible by decompiling the code, a user could probably see the server address (and any unencrypted communications) by connecting their phone up to an HTTP proxy and monitoring the network traffic. Instead of trying to hide the server address, you should make sure that the server is appropriately secured. – Ellis Jan 15 '16 at 09:24
  • @Ellis got you thanks – john doe Jan 15 '16 at 09:33

1 Answers1

2

No. Jar signing is used to make sure the file isn't tampered with. You can still decompile it.

Rather than wasting time worrying about decompilation, you should concentrate on something useful. Obfuscation is used to save space in Android, not to prevent people from looking at your code. Besides, did you really create something so special that you need to protect it? (Be honest now)

Kayaman
  • 72,141
  • 5
  • 83
  • 121
  • It is not about me creating something special, I just want to learn because I have an exam on it. Okay so it is not useful to do that then besides obfuscation and the ones mentioned in the links I provided do you have a better way to hide the networking related classes? – john doe Jan 15 '16 at 08:36
  • There is no way to hide them. You can't keep any sensitive information on the client because you have to assume that it can be viewed and accessed by the user. – Kayaman Jan 15 '16 at 08:43
  • Then what are your suggestions. Should I load those classes at Run time? I noticed Facebook uses something like adding the compile with into the build.gradle file to use their SDK and it hided all of their network communication like the server address etc.. would you recommend that? – john doe Jan 15 '16 at 08:47
  • 1
    Not really. I would recommend doing the bare minimum, since there's no way you can prevent me from getting all the information you're trying to hide. It all boils down to how much work are you willing to do vs. how interesting is the information. There's no way you can prevent me from getting all the information you're trying to hide. – Kayaman Jan 15 '16 at 08:51
  • Okay then do you have way so that I can make it harder for the client to find the server address and the JSON data format? – john doe Jan 15 '16 at 08:55
  • Nobody does that. That's why there exists plenty of 3rd party clients for different kinds of systems. The only place where you have control is on the server, so it's no use wasting time on trying to make the client "more secure". – Kayaman Jan 15 '16 at 08:57
  • So your suggestion is that I should focus on securing the server? but it is okay for anyone to see the server address etc? – john doe Jan 15 '16 at 08:59
  • It would be a bit like expecting email, yet trying to be sure that nobody known your email address. You can get the server address just by sniffing the network. Trying to hide the server address is probably the stupidest thing you can try to do. – Kayaman Jan 15 '16 at 09:06
  • What if someone decompiled the app and changed the code and then built an apk and communicated with the server. Will I be protected agaist that by using SSL ? – john doe Jan 15 '16 at 09:09
  • Of course not. There is nothing you can do to prevent me from creating a client application that communicates with your server. Hopefully your server is built so that I can't break anything. – Kayaman Jan 15 '16 at 09:15
  • So what should I do ? like is there a way to recognize the app that is communicating with my server? – john doe Jan 15 '16 at 09:17
  • You can't do anything. I can always make my client pretend to be your client. There's absolutely nothing you can do, except make sure that your server doesn't trust the client to do anything naughty. Of course if your server requires a username/password, you'll now *who* is connected. You just can't ever know *with what* he's connected. – Kayaman Jan 15 '16 at 09:22