[Android Security] APK self-protection-string processing

cp:1190000005128037

Strings are unavoidable during development, but these strings can also be key points for cracking, such as the server's address and the error message of these sensitive string information. If these strings are hard-coded, it is easy to get through static analysis. A previous blog with hints of strings with breakout Android program reverse analysis

Normal way definition string

A string is defined in Java:

private String normalstring () {    string str = "Hello world";    return str;}

Anti-compilation. Smali Code

. Method Private Normalstring () ljava/lang/string;    . Registers 2    . Prologue line    const-string v0, ' Hello world '. Line    . Local v0, "str": Ljava/lang /string;    Return-object V0.end method

You can see that const-string the keyword is followed by a defined string value and can even be extracted in bulk using automated analysis tools.

Solution 1. StringBuilder Stitching

The StringBuilder class constructs the required string by means of the Append method. This way can increase the difficulty of automated analysis, if you want to get the complete string, you have to do the appropriate lexical parsing.

Stitching string code in Java:

Private String buildstring () {    StringBuilder builder = new StringBuilder ();    Builder.append ("Hello");    Builder.append ("");    Builder.append ("World");    return builder.tostring ();}

Anti-compiled. Smali Code:

. Method Private Buildstring () ljava/lang/string;    . Registers 3    . Prologue line    new-instance v0, Ljava/lang/stringbuilder;    Invoke-direct {v0}, ljava/lang/stringbuilder;-><init> () V line    . Local v0, "Builder": ljava/lang/ StringBuilder;    Const-string v1, "Hello"    invoke-virtual {v0, v1}, Ljava/lang/stringbuilder;->append (ljava/lang/string;) Ljava /lang/stringbuilder;    . Line    const-string v1, ""    invoke-virtual {v0, v1}, Ljava/lang/stringbuilder;->append (ljava/lang/ String;) Ljava/lang/stringbuilder;    . Line    const-string v1, "world"    invoke-virtual {v0, v1}, Ljava/lang/stringbuilder;->append (ljava/lang/ String;) Ljava/lang/stringbuilder;    . Line    invoke-virtual {v0}, ljava/lang/stringbuilder;->tostring () ljava/lang/string;    Move-result-object v1    return-object V1.end method

You can see that the anti-compiled. Smali code adds a certain degree of difficulty to the hack and cannot be identified at a glance.

2. Encoding obfuscation

Encoding obfuscation is the conversion of a string to a 16-binary array or Unicode encoding at hard-coding time, in the back of a string when used. This is a way to decompile the. Smali code more difficult to identify directly than the StringBuilder approach.

Java code:

Private String encodestring () {    byte[] strbytes = {0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x77, 0x6f, 0x72, 0x6c, 0x64};
   string str = new String (strbytes);    return str;}

Decompile. Smali Code:

. Method Private Encodestring () ljava/lang/string;    . Registers 4    . Prologue Line    const/16 v2, 0xb    new-array v1, v2, [B    fill-array-data v1,: array_e< C6/>.line    . Local v1, "strbytes": [B    new-instance V0, ljava/lang/string;    Invoke-direct {v0, v1}, ljava/lang/string;-><init> ([B) v. Line    . Local v0, "str": ljava/lang/ String;    Return-object v0    . Line    NOP    : Array_e    . Array-data 1        0x48t        0x65t 0x6ct 0X6CT        0x6ft        0x20t        0x77t        0x6ft        0x72t        0x6ct        0x64t    . End Array-data.end Method

It can be seen in the. Smali code that all characters have been hidden.

3. Encryption processing

The encryption process is to encrypt the string locally, and then hard-code the ciphertext into the runtime to decrypt it.
Encryption steps:

• String encryption

• Hard-coded into the program

• Compile run

• Decryption text

Of course, because Java code is relatively easy to decompile, and this method needs to put the decryption method in the APK local, so we can use the decryption method through the JNI implementation, increase the difficulty of anti-compilation.

Summarize

Any kind of hardening method only increases the difficulty of anti-cracking, and does not completely avoid the Android program is cracked.

[Android Security] APK self-protection-string processing