Android: How do reverse engineering works?
Question
I want to be sure that my app's content is safe. I have a password for encrypted database inside of my app and I just want to figure out if there are safe places in my project which can't be accessed by reverse engineering.
And it would be great if u explain shortly how reverse engineering works. ThanQ.
And plz don't post links to ProGuard!
5 answers
solution1
4 ACCPTED 2012-08-01 08:11:03
Any hard-coded value CAN be viewed by reverse engineering your app.
This includes passwords, urls, etc.
In order to reverse engineer an android app, proceed with the following steps:
1- Rename your app's APK file to ZIP (eg myapp.apk -> myapp.zip)
2- Open the zip file and retrieve the classes.dex file.
3- Use dex2jar to get a jar file from classes.dex
4- Use jd-gui to open the jar file and view your original code.
solution2
1 2012-08-01 08:09:06
Haawa,
If you are storing the password in your app as a static string, it is NOT safe. It is trivially easy to get to it, even if you are using ProGuard. The best way to safeguard it is to not store it at all. Instead, if possible, have your app send a unique identifier of some kind to a server that validates the user (possibly using LVL), then the server hands back a DB password or the actual DB data itself (stored on the server).
If this is not possible, or if you don't have access to your own server, at least obfuscate the string in some way by storing it as a XOR'ed string or better yet, come up with your own function to obsfucate the string. NEVER have a line in your java code that looks like password = "mypass";
solution3
0 2012-08-01 08:09:51
In reverse engineering : your .apk file Rename from .apk to .zip file , then abstract zip file and find your folder,
But You can not able for find .class file of your Project
solution4
0 2012-08-01 08:10:11
Reverse engineering is more about recreating intellectual property by careful analyzing application's behavior aspects. Regarding security matters, I think, social engineering should be of more concern to you
solution5
0 2012-08-01 12:42:28
Others have explained the reverse engineering, so I will explain how you should encrypt the database.
You should encrypt the database using the user's credentials (username and password or PIN) as the key. When the user starts the application, they should be prompted for the credentials. The key should not be hard coded.
This prevents an attacker from accessing the user's data without having the credentials.
If you are trying to hide the data from everyone including the user, yet have the application be able to access it, then you have to store it on the server and only request the data that you're willing to show to the user.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.