Android Question Hardening app security, verify signature?

[techknight]

I am thinking of ways to harden the final app/APK.

Is it possible to verify the App's signature/certificate during runtime? Basically a simple check to see if the APK had been decompiled or resigned? And also a check for the "Debuggable" flag that could be added in the manifest editor?

I know most of these events are futile in the hands of hackers, but it would make things a little bit harder.

Basically, I am trying to obfuscate the possibility of someone inserting malware into my APK or break the licensing system and recompile.

 

[Pendrush]

One way or another, all protection can be cracked.

 

[techknight]

Tell that to Denuvo, the developers of the protection for Just Cause 3....

Anyways, your response didnt really help me at all.

 

[wonder]

The ProBundle contains a guide which will point you in the right direction.

- Protect My App - a PDF guide to protect your application
In this guide, I explain in detail how hackers can decompile your application and change your code. I give advices about what to do and what to avoid. I provide a practical solution to enforce the protection of your assets (images, db, etc.), passwords, and even pieces of critical code.
With this guide, I provide seven configuration files for the Proguard tool and an updated version of the BasicLibIDE library, made compatible with the recent versions of B4A and the obfuscated mode.

- My Secure Vault
This guide offers an alternative to the solution suggested in the previous guide. It explains how to create your own library in C and provides the code to generate it (the knowledge of the C language is not required).

 

[techknight]

Ill have to think about it. It appears its donationware, and no demo or sample on its usage, etc without paying for it.

 

[lemonisdead]

no demo or sample on its usage, etc without paying for it.

Right but the sheet about how to protect the app is detailed and really helps to understand what to do and how to do to protect the app.

 

[techknight]

I didnt see a sheet. Maybe its in a different post?

 

[lemonisdead]

Nope, that sheet is a 22 pages document and part of Informatix Pro Bundle, named "ProtectMyApp".
Informatix explains with various examples how hackers could see your code and how you can avoid that. I can not post samples because it is his propriety but it ends like that :

Now, our code is a nightmare for hackers. An experienced hacker will certainly succeed in defeating the protection, but “Good luck my friend"

 

[Informatix]

Ill have to think about it. It appears its donationware, and no demo or sample on its usage, etc without paying for it.

If I expose publicly the method or give enough advices to reproduce it, then asking for a donation becomes pointless. My method is based on the signature but it's not just a check as it's easy to remove a check. It's more clever and more difficult to remove. This protection is probably the best available nowadays for Android. The critical parts of the code are in C (so you need also the libraries, not only the PDF guides). And if you want to see how strong the protection is, try to hack my game "Diktatour" available on Google Play.
The PDF give also tips about what to do and what to avoid, with the reason behind, because locking your door is useless if you open the windows.

 

[techknight]

Well, I may just have to purchase it and try it out. See how it does. ;-)

Bascially I am creating a username/password/challenge key negotiation system for my app, and its useless if it can all be patched out of it.

Plus there needs to be a public key or something to decrypt the server data during the session, and the license file stored on the device for that particular app.