B4A Library Library ProtectYourApp ( Protect your apk ) Rel.2

Hi all.
As promised is available library ProtectYourApp.
Just two minutes are required to implement the same within your apk.
Obviously I do not guarantee that it will never be unprotected, but definitely make life complicated for those who want to change your apk.
You can protect your APP and authorize, if you want, the same on some devices (this can be useful if you sell your license for a limited number of devices)
For more details Rel.2 look #3
ProtectYourApp
Author: Devil-App
Version: 2.00

• ProApp
  Methods:
  • IsInitialized As Boolean
    Tests whether the object has been initialized.
  • cryptpya (text_crypt As String) As String
    *This Crypt your string ( DB or Variable, etc. )
    *Example:
    Dim crypted1 As String = PYT.Cryptpya("Example Text crypto")
    .....
    Label1.Text = PYT.Decryptpya(crypted1)
  • decryptpya (text_crypt As String) As String
    *This Decrypt your string ( DB or Variable, etc. )
    *Example:
    Dim crypted1 As String = PYT.Cryptpya("Example Text crypto")
    .....
    Label1.Text = PYT.Decryptpya(crypted1)
  • initialize As String
    *This Initialize Library ProtectYourApp
    *Example:
    Dim PYT As ProApp
    ....
    PYT.Initialize
  • Protectyourapp (checkp As String, value As String) As String
    *This check that APK isnt modified
    *Example:
    Sub Process_Globals
    Dim crypta As String = "thedestiny"
    ........
    Sub Activity_Create(FirstTime As Boolean)
    Dim recypt As String = PYT.Cryptpya(crypta)
    If PYT.Decryptpya(PYT.ProtectYourApp(check, PYT.Decryptpya(recypt))) = PYT.Decryptpya(ValueUser) Then
    Log("VALIDATE")
    else
    Log("INVALIDATE")
    End if
    ......
  • Protectyourappdevice (numberdevice() As String, value As String) As String
    *This check that APK isnt modified and RUN only in some Device
    *Example:
    Sub Process_Globals
    Dim crypta As String = "thedestiny"
    ........
    Sub Activity_Create(FirstTime As Boolean)
    Dim recypt As String = PYT.Cryptpya(crypta)
    Dim CodeDevice() As String = Array As String("SetCode", check1mobile , check2mobile, check3mobile)
    If PYT.Decryptpya(PYT.ProtectYourAppDevice(CodeDevice, PYT.Decryptpya(recypt))) = PYT.Decryptpya(ValueUser) Then
    Log("VALIDATE")
    else
    Log("INVALIDATE")
    End if
    ......

You can see APK protect with this method here: DEMO HERE
If you want download and try

The library is not free. You need to donate as low as 15€ to get the library.
To send the money, just click on the Donate button below (the amount to enter is in euros).

 

[MarcoRome]

Look this movie and this steps:

1. Enter a key of your choice

'FIRST YOU CHOOSE YOUR KEY
Dim crypta As String = "putheremykey"

2. Run this line of code:

PYT.ProtectYourApp ("", PYT.Decryptpya (recypt))

Comeback 2 constant ( ValueUser / check )
3. Implement your protection with this code:

If PYT.Decryptpya (PYT.ProtectYourApp (check, PYT.Decryptpya (recypt))) = PYT.Decryptpya (ValueUser) Then
'VALIDATE
Label1.Text = PYT.Decryptpya (crypted)
Label1.TextColor = Colors.Green
Panel1.Color = Colors.Green
else
'INVALID
Label1.Text = PYT.Decryptpya (crypted1)
Panel1.Color = Colors.Red
end If

4. The attached sample library brings an example of how to call the protection in different points of the app

 

[MarcoRome]

ProtectYourApp Rel.2.00
With Release 2, you can protect your app and authorize that the same works only on devices that you choose (this can be useful if you sell licenses for a limited number of devices).
Release 1 allows you to protect your App (the same can be decompiled and modified, but when you try to recompile not finding your signature the same will not work).
Now ( Release 2 ) you have two methods:
- The first method:

PYT.ProtectYourApp

Generically protects your app and can be used on all devices.

'*This check that APK isnt modified
'*Example:
'Sub Process_Globals
'Dim crypta As String = "thedestiny"
'........
'Sub Activity_Create(FirstTime As Boolean)
'Dim recypt As String = PYT.Cryptpya(crypta)
'If PYT.Decryptpya(PYT.ProtectYourApp(check, PYT.Decryptpya(recypt))) = PYT.Decryptpya(ValueUser) Then
' Log("VALIDATE")
' else
' Log("INVALIDATE")
'End if
'......

- The method:

PYT.ProtectYourAppDevice

you can authorize to run your app on some devices

'*This check that APK isnt modified and RUN only in some Device
'*Example:
'Sub Process_Globals
'Dim crypta As String = "thedestiny"
'........
'Sub Activity_Create(FirstTime As Boolean)
'Dim recypt As String = PYT.Cryptpya(crypta)
'Dim CodeDevice() As String = Array As String("SetCode", check1mobile , check2mobile, check3mobile)
'If PYT.Decryptpya(PYT.ProtectYourAppDevice(CodeDevice, PYT.Decryptpya(recypt))) = PYT.Decryptpya(ValueUser) Then
' Log("VALIDATE")
' else
' Log("INVALIDATE")
'End if
'......

The two methods can be used separately.
To use the first method ( ProtectYourApp) you only need server access (2 minutes) the code into your .apk.
To use the method ( ProtectYourAppDevice ) you need to know and get a Serial Number from the device where you intend to run your App.
Along with the library will be delivered to you a tool that will be installed on the device that you want authorized, this app is used only to get the code to be used. So you will have the opportunity (without having the need to have in your hands the device to be authorized) to send the app to your client and receive the device code to be authorized

 

[MarcoRome]

3. Space reserved....

 

[ArminKH]

Thank u marco
Good luck

 

[MarcoRome]

Hi all.
As promised is available library ProtectYourApp.
Good Job

 

[FabioRome]

Hi marco.
I send just now donation.
Pls send me library.
Thank you
Fabio

 

[Informatix]

A naive question: if I decompile your app and remove what I see above (the cls sub and all calls to that sub), what prevents me from using the app?

 

[MarcoRome]

A naive question: if I decompile your app and remove what I see above (the cls sub and all calls to that sub), what prevents me from using the app?

Hi Informatix
In the example i have called this sub cls (but you call it in different ways, or more sub concrete example: lcs, splash_screen or another name ( this is limited your fantasy ; )) All programs to be protected is good that the developer implements the sub and try to "delude" the reverse. Usually if they lose a lot of time for reverse desist from continuing.
In any case any protection (even with hardware device) can be removed, it depends on when the reverse is decided and when well is implemented by the function.
Example: If i decide to use only a sub type cls enough to eliminate this sub. Even in the same sub but i could enhance the important variables for our app and therefore if you decide to delete that sub our app most likely will crash.
Or next, if i decide to enter as two sub example: splash_screen and menu and call the same in many places the reverse will certainly more challenging.
The reverse will be busy searching the source strings such invalid, protect or similar, that can give him a track and a foothold on what follow.
My example is to try that in the case in which is made a reverse, and then recompiled with a different sign that the app is not working.
In the example not shown a diagram of how to implement a good protection.
Although actually i could write an example B4A that can help in this direction

 

[MarcoRome]

Hi marco.
I send just now donation.
Pls send me library.
Thank you
Fabio

Hi Fabio.
You have mail.
Thank you for donation.

 

[Informatix]

Hi Informatix
In the example i have called this sub cls (but you call it in different ways, or more sub concrete example: lcs, splash_screen or another name ( this is limited your fantasy ; )) All programs to be protected is good that the developer implements the sub and try to "delude" the reverse. Usually if they lose a lot of time for reverse desist from continuing.
In any case any protection (even with hardware device) can be removed, it depends on when the reverse is decided and when well is implemented by the function.
Example: If i decide to use only a sub type cls enough to eliminate this sub. Even in the same sub but i could enhance the important variables for our app and therefore if you decide to delete that sub our app most likely will crash.
Or next, if i decide to enter as two sub example: splash_screen and menu and call the same in many places the reverse will certainly more challenging.
The reverse will be busy searching the source strings such invalid, protect or similar, that can give him a track and a foothold on what follow.
My example is to try that in the case in which is made a reverse, and then recompiled with a different sign that the app is not working.
In the example not shown a diagram of how to implement a good protection.
Although actually i could write an example B4A that can help in this direction

I suppose that you use an automatic translator because I have difficulties to truly understand the answer.
I decompiled your demo APK to try to understand how you protect the app because I could be interested but the protection that I saw seems very easy to defeat. In your APK, to bypass the protection, I would remove all code in proapp._protectyourapp and always return 100. I don't understand why you say that the app could not be used after that. Nothing seems to prevent it.

 

[MarcoRome]

I suppose that you use an automatic translator because I have difficulties to truly understand the answer.
I decompiled your demo APK to try to understand how you protect the app because I could be interested but the protection that I saw seems very easy to defeat. In your APK, to bypass the protection, I would remove all code in proapp._protectyourapp and always return 100. I don't understand why you say that the app could not be used after that. Nothing seems to prevent it.

Hi Informatix.
I try to explain better. When i write this #9 i mean that the example in attachment ( THIS ) not implement a good protection scheme but simply demonstrates that if you recompile and resign this App will not work.
Now, i'll try to write a new example (this time i will try to implement a better protection scheme) and i will modify the library so that the return value can be entered by the programmer. In this way it will always be different.
Thank you for your time Informatix.
See late soon

 

[MarcoRome]

I suppose that you use an automatic translator because I have difficulties to truly understand the answer.
I decompiled your demo APK to try to understand how you protect the app because I could be interested but the protection that I saw seems very easy to defeat. In your APK, to bypass the protection, I would remove all code in proapp._protectyourapp and always return 100. I don't understand why you say that the app could not be used after that. Nothing seems to prevent it.

Hi Informatix.
I changed a few things, now the library returns a value that every programmer can insert and this value and encrypted.
Can you try and give me feedback ( also with apk modified if this is possible ) ?
Thank you for your time

 

[Informatix]

Hi Informatix.
I changed a few things, now the library returns a value that every programmer can insert and this value and encrypted.
Can you try and give me feedback ( also with apk modified if this is possible ) ?
Thank you for your time

It's the same protection scheme so bypassing it is still easy. I post what I would do in private.

 

[MarcoRome]

It's the same protection scheme so bypassing it is still easy. I post what I would do in private.

ok, i wait..
Thank

 

[MarcoRome]

ok after a long and constructive PM i understand the point of view of Informatix. Looking at the decompiled files i understand where are the instructions of protection and i can imagine how you can get around the same.
You can get .dex files from apk easily. Dex is a type of file that compiled to run on Dalvik. So dex files are very similar to .class files. There are some tools for to converting .dex to .class. After that you can decode .class files to .java so that you can read the code and edit the same.
But in fact, ( i used different tools for test ) i have changed the code but with none tools i got a apk that worked ( errors in compilation ). Only one of these tools is able to compilate but the result is not changed.
So, i say everything is possible but how many people can do this.

 

[MarcoRome]

To obfuscate the code further we could use some tools ( if compatible )
In any case i will study in depth the question and i will try to add to the library of the suggestions from Informatix.
Thank you again for you time

 

[MarcoRome]

Anyway after long test... yes is possible reverse ... is possible understand where is code, is possible change ... but for now ISNT possible recompiled code.
Cheers

 

[Informatix]

but for now ISNT possible recompiled code.

It's because you don't have the right tools or skills, not because it is not possible. Your protection does not do anything against a recompilation. A possible way of recompiling your APK very easily is to use the version 5 of B4A for example. Just before the classes are converted to a dex file, replace the proapp class by a modified version (thanks to the CustomBuildAction #6). The modified version can be created from scratch in B4A. It needs to expose the same functions (protectyourapp, decryptpya, etc.) but with a code that makes all conditions true or does nothing.
I have another idea that should be uneasy to defeat: some critical assets, data and code are stored in an encrypted file that is decrypted at runtime with a password computed by a C library (.so file) so decompiling the Java code does not help. Of course, if the APK is modified or signed with another key, the computed password does not match the original one. To avoid exposing all files of the encrypted archive when running a valid copy, data and code to extract are injected directly into memory, not on disk. I will try to do this library if I find time.

 

[MarcoRome]

Hi informatix .
"ISNT possibile recompiled" <> "is impossible compiled".
I like very much your idea:

I have another idea that should be uneasy to defeat: some critical assets, data and code are stored in an encrypted file that is decrypted at runtime with a password computed by a C library (.so file) so decompiling the Java code does not help. Of course, if the APK is modified or signed with another key, the computed password does not match the original one. To avoid exposing all files of the encrypted archive when running a valid copy, data and code to extract are injected directly into memory, not on disk

and event more this:

I will try to do this library if I find time.

Cheers