Android code security

1. First of all, let's think about the question: which parts of android need to improve security to prevent being cracked, and which parts cannot guarantee security?

A) First, if your applications compete with others for something that is relatively soft, such as creativity, user experience, and service, and is free of charge, there is no technical difficulty, you need to assess whether you really need to improve code security.

B) images, XML files, or APK files cannot be encrypted. Because these files are loaded and read by the andriod virtual machine, the encrypted Android virtual machine cannot recognize them and your applications cannot be used normally. Do not include confidential content in these files.

C) There are many Android applications that need to communicate with the server. If the transmitted data is encrypted, the client may use the key for encryption or decryption. This key should be dynamic.

D) key business logic, algorithms, and financial transactions require extremely high security. Multiple encryption methods must be used.

2. Several methods to prevent code from being decompiled:

A) Minimize sensitive content in client code, such as the key of the encryption algorithm.

It is impossible to avoid cracking at all. companies like Microsoft and Apple will also be cracked and jailbroken. We can only find ways to increase the difficulty of decompilation and the threshold for cracking.

First, try to make sensitive content on the server rather than on the client. The key is dynamic. Do not root yourself or leave the possibility of cracking as far as possible. Murphy's Law says that if a bad thing can happen, it will happen.

B) custom Class Loader (custom classloader)

You can use the custom class loader to load encrypted. class files and use the custom class loader to decrypt the files to improve code security.

This method can be used when you have the opportunity to use your own class loaders. For example, for a C/S architecture program, the client is written in Java (swing or SWT ), this type of program is common in large companies and foreign countries. Small Chinese companies seldom use Java to write clients.

For Android programs, class loaders cannot be used for subclasses of basic classes such as activity and service that inherit Android. If you want to use them, you need to extract the key code, A class independent of the android framework can be loaded using a custom class loader.

But there is still a hidden risk, because this custom class loader is also written in Java and will be decompiled. However, this process adds a barrier and increases the difficulty of cracking.

C) use JNI

Code written in C or C ++ is more difficult to decompile than in Java. However, this method is not recommended unless necessary.

The local code is difficult to debug. If an exception occurs, the entire VM is shut down abnormally. At the same time,. So will be loaded into the memory of the virtual machine, whether or not to use the memory space.

In addition, many Java developers are not familiar with C or C ++. If someone in your company is familiar with C or C ++.

D) Obfuscation

Obfuscation is to add useless code without changing the code logic, or rename the class name, method name, and variable name, making it difficult to understand the decompiled source code and improve the difficulty of cracking.

This topic focuses on how to confuse code in Android applications. First, let's take a look at the comparison of The Decompilation results before and after obfuscation.

Figure 1 original code

Figure 2 decompilation before Obfuscation

Figure 3 decompilation after Obfuscation

We can see that the class name, method name, and variable name will be modified, and the meaning of the method cannot be directly identified. However, if it is a String constant, it will be decompiled, so the key cannot be put in the APK, and it has nowhere to hide.

The following describes how to use the obfuscation tool. The obfuscation function is provided in android2.3. We will introduce the proguard obfuscators here.

In addition to obfuscation, This method also includes functions such as program signature and installation. It is compiled based on Ant and has more powerful functions. You can also insert other functions you want throughout the compilation process, such as unit testing.

Usage:

First, add a configuration file in your project to configure environment variables and signature files, such as build. cfg. In this file, you need to specify which classes do not need to be obfuscated. In Android, all classes that use the class name in the configuration file should not be confused. Otherwise, classnotfoundexception may occur during program execution.

Create a build. xml file to specify the ant compilation process. Finally, execute build. XML to complete the entire process of code obfuscation, packaging, and signing. You can use the decompilation tool to check whether the obfuscation is successful.

Figure 4 method for executing build. xml

Please refer to the project example for operations. The configuration file must be marked with all the items to be modified. Please search for the keyword "Modify here" and check all the items found, modify according to your environment configuration.

The above methods are used in combination to multiply the effect. The person who cracked your program will say, you can't think of the lion's roar, and you have a big horn ......

If your company really needs to be so confidential, first of all, it depends on whether your company has a strict and mature information security system. Otherwise, everything will be futile. Because one piece of money is hard to prevent, the bastion is the easiest way to break through internal attacks.

Source: Internet chronicle http://www.xymyeah.com/1276.html.