Login/Register
Decompling an android apk? [duplicate]
Asked Answered
Solved android
R

4

22

Possible Duplicate:
Android: Getting source code from an APK file

Is it possible for someone to de-compile my android apk file and see the public variables or constants declared in my packages?

My shared key that i have defined as public static constant will then get exposed...

Ravenravening answered 4/9, 2012 at 8:22 Comment(4)
Yes, it will always be possible to see hardcoded values. If you're taking about scoping, then I'm not sure I understand your question.Tatter
i'm talking about literally seeing the hardcoded constant key...Ravenravening
If you're talking about when other people are trying to deobfuscate your code, then yes, using the right tools, they will be able to see all hardcoded values, such as e.g private String key = Au8aujEWS(jol#9jSd9;.Tatter
Yes - look here - easy one-click online tool:)Phantasmal
T
10

When you deobfuscate code (here's a video tutorial that might give insight: How to read obfuscated code), you will be able to see all hard-coded values such as

private String key = "Au8aujEWS(jol#9jSd9";

Except they won't be seeing variable names:

private String a = "Au8aujEWS(jol#9jSd9";

By using tools like Sunny mentioned, you'll be able to get all code to near it's original state.

I'll give an example; If you had the following original code:

public class MainActivity extends Activity { 
    private String key = "Au8aujEWS(jol#9jSd9";

    public void onCreate(Bundle savedInstance) {
        //Some code here
    }
}

public class OtherActivity extends Activity { ... }

After being compiled, and decompiled back into java code, it would look something like this:

public class A extends B {
    private String a = "Au8aujEWS(jol#9jSd9";

    public void a (C b) {
        //Some code here
    }
}
public class D extends B { ... }

and by using educated guesswork and refactoring tools, you'll be able to deobfuscate code, so with enough dedication and hard work people will be able to see all your code.

I strongly recommend to not make your security entirely depending on things coded into the client applications. Of course it depends on how important it is for your situation to not give hackers the possibility to access the information you're trying to secure.

Tatter answered 4/9, 2012 at 8:40 Comment(0)
R
12

Yes it is possible to decompile an apk .

Depending on obfuscation level it might take some time but a dedicated/bent person will eventually decompile it .

You can try tools like

Source : http://geeknizer.com/decompile-reverse-engineer-android-apk/

UPDATE 1

Here are 2 more options for you:

suggested by @AndrewRukin

UPDATE 2

Another tool : jadx

Rossuck answered 4/9, 2012 at 8:30 Comment(1)
I may also add, that nowadays it is possible to decompile Android application online, no software needed! Here are 2 options for you: - decompileandroid.com - javadecompilers.com/apkOpinicus
T
10

When you deobfuscate code (here's a video tutorial that might give insight: How to read obfuscated code), you will be able to see all hard-coded values such as

private String key = "Au8aujEWS(jol#9jSd9";

Except they won't be seeing variable names:

private String a = "Au8aujEWS(jol#9jSd9";

By using tools like Sunny mentioned, you'll be able to get all code to near it's original state.

I'll give an example; If you had the following original code:

public class MainActivity extends Activity { 
    private String key = "Au8aujEWS(jol#9jSd9";

    public void onCreate(Bundle savedInstance) {
        //Some code here
    }
}

public class OtherActivity extends Activity { ... }

After being compiled, and decompiled back into java code, it would look something like this:

public class A extends B {
    private String a = "Au8aujEWS(jol#9jSd9";

    public void a (C b) {
        //Some code here
    }
}
public class D extends B { ... }

and by using educated guesswork and refactoring tools, you'll be able to deobfuscate code, so with enough dedication and hard work people will be able to see all your code.

I strongly recommend to not make your security entirely depending on things coded into the client applications. Of course it depends on how important it is for your situation to not give hackers the possibility to access the information you're trying to secure.

Tatter answered 4/9, 2012 at 8:40 Comment(0)
C
0

Yes, Android APKs can easily be decompiled. The public variables, constants and their values can be seen when decompiled even if the code is obfuscated.

When you obfuscate a code, your variable names are renamed. The value of your variables remains the same. Obfuscation is different from encryption. As such, your code is not encrypted when you obfuscate your code.

An example of a normal code:

String str = "This is a string.";

An example of an obfuscated code:

String a = "This is a string.";

As you can see above, The variable name was renamed from "str" to "a", but its value remains the same. Obfuscation works by renaming the variable names to short non-logical names making the file size smaller and making the code harder to understand.

What I do is I obfuscate my whole code and then encrypt my key and decrypt it somewhere in my program. Although I understand that a determined and patient hacker can still crack my key, it will make things harder to him.

Courtyard answered 4/9, 2012 at 8:56 Comment(0)
D
0

Yes, it is possible, but it's not so simple - someone truly must have a strong reason to do it.

Depending on how much security do you need, you can either construct your key at the runtime instead of saving it into final String, download it from the Internet (but this way must be secured even better, may be not worth it) or let some other external server do the work instead of your app - especially if you are talking about payments and storing your public key - in that case the key won't be even embedded into your app.

Also, remember to make the hacker's life harder by using mentioned obfuscation tools like ProGuard: http://developer.android.com/tools/help/proguard.html.

Ditzel answered 4/9, 2012 at 9:5 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.