Android Question Why B4A Decompiled?

H

Hamied Abou Hulaikah

Well-Known Member
Licensed User
Longtime User
Hi All,
My B4A generated apk source code "java code" is decompiled easly using any decompile tool, while my C# xamarin generated apk can't be decompiled using the same decompile tool !!!
Any suggestion or explanation to protect our B4A projects more ...
 
Sort by date Sort by votes
G

gkoehn

Member
Licensed User
gkoehn said:
Interesting! Someone help us out and tell us how to do it!
Click to expand...
Would you use a native .so assembly that would contain the API key?
If so, can someone give us a simple tutorial on how to do that all from scratch?

And yet, if you do that, you can still Hex View the API key?
So... How to do it is the question????
 
Last edited:
Upvote 0
K

keirS

Well-Known Member
Licensed User
Longtime User
gkoehn said:
Would you use a native .so assembly that would contain the API key?
If so, can someone give us a simple tutorial on how to do that all from scratch?

And yet, if you do that, you can still Hex View the API key?
So... How to do it is the question????
Click to expand...

There is no such thing as absolute security. You can convert ARM64 native code back in to C using tools like Hex-Rays. One solution is to not hold any string literals for your key in your app at all. Hold them on a server and use the Instance ID and key signing features to retrieve settings each time the app is run.
 
Upvote 0
Informatix

Informatix

Expert
Licensed User
Longtime User
gkoehn said:
Yes! Fully agree with you!

Another Question...
How do you persist client side session state securely?
Let's suppose I am hitting a Restfull API.
I use OAUTH.
How do I securely save the Token on the client device? (Maybe there is not a security Risk here...)
How do Banking Apps do it securily? (Or do they?)

Do you discuss this in your ProBundle?
Click to expand...
When you receive the token, you can save it in an encrypted file in the internal folder of your app. The encryption/decryption requires a password of course, and the password to be secure has to be encrypted too (this looks like an never ending story, but the ProBundle guides explain how you can store this password safely).
Another solution implies the Android Keystore but I don't know whether it exists a B4a library for that. ProBundle has not a lot of donors (and most people donate mainly for the libraries, not for the guides) so the guides won't probably be updated and I won't add libraries for security/privacy. I don't have enough time, enough motivation. A security expert estimated that 99% of Android apps on the Google Play store have no protection at all (obfuscation put aside), so it's obviously not a concern for most developers.
 
Upvote 0
Informatix

Informatix

Expert
Licensed User
Longtime User
keirS said:
One solution is to not hold any string literals for your key in your app at all. Hold them on a server and use the Instance ID and key signing features to retrieve settings each time the app is run.
Click to expand...
Using a server and not storing anything sensitive on the phone is indeed the best method available, but it's only theoretical because it's not uncommon that people are more skilled on the Android part than on the server part (and the security implied). For the hacker it is sometimes easier to get informations directly on the server than to try to hack the Android app (especially when the data are only encrypted during the exchanges and not where they are stored on the server).
Another (obvious) issue with servers is that your app requires an internet connection to work.
 
Last edited:
Upvote 0
Informatix

Informatix

Expert
Licensed User
Longtime User
keirS said:
There is no such thing as absolute security.
Click to expand...
I totally agree. As I explain in the ProBundle guides, the goal is to delay as much as possible when your application will be hacked. In the video game industry, no one is under any illusions; their new game will be cracked and distributed via Torrent one day or another, but if crackers take a month to get there, sales will be sufficient to make the development profitable.
 
Upvote 0
MarkusR

MarkusR

Well-Known Member
Licensed User
Longtime User
btw if a developer see a app logic he can easy rewrite this app.
decompiled source was never something that you can use.

about the hack and crack, some people did not have the money to buy apps or games, it is not really a lost for the producer.
my wife is thai and when i was there at vacation i saw they sell pirated material (software/games) in public mall for small money. o_O
 
Upvote 0
H

Hamied Abou Hulaikah

Well-Known Member
Licensed User
Longtime User
MarkusR said:
if a developer see a app logic he can easy rewrite this app
Click to expand...
This is really the second big problem when our apps decompiled ...
I have several b4a apps i invest in it a thousands of dollars, we success because of our magic code logic & workflow & we was unique. Now many developers decompile our apps , read & understand our code logics !! then they produce similar apps & start compete us hardly using our code logics & workflow !!!
We need more scenarios to protect our data & logics.
 
Upvote 0
tufanv

tufanv

Expert
Licensed User
Longtime User
HAH said:
This is really the second big problem when our apps decompiled ...
I have several b4a apps i invest in it a thousands of dollars, we success because of our magic code logic & workflow & we was unique. Now many developers decompile our apps , read & understand our code logics !! then they produce similar apps & start compete us hardly using our code logics & workflow !!!
We need more scenarios to protect our data & logics.
Click to expand...
it is the same for every developer. this is not unique for you. you can also decompile or understand a unique app and rewrite it and it is not unique anymore. Sorry but this is a little ridiculous to make this a problem.
 
Upvote 0
Informatix

Informatix

Expert
Licensed User
Longtime User
HAH said:
This is really the second big problem when our apps decompiled ...
I have several b4a apps i invest in it a thousands of dollars, we success because of our magic code logic & workflow & we was unique. Now many developers decompile our apps , read & understand our code logics !! then they produce similar apps & start compete us hardly using our code logics & workflow !!!
We need more scenarios to protect our data & logics.
Click to expand...
This problem exists since long. It was already the case long before Java, B4a, .Net or Xamarin exist. If you want to hide your code, you have to encrypt it and run the decrypted form at runtime when required. But even in this case it is possible with a debugger to see what's going on in memory, but you limit the number of people able to do that (and I explain in ProBundle how to limit the debugging of your app).
 
Upvote 0
alwaysbusy

alwaysbusy

Expert
Licensed User
Longtime User
I agree with @tufanv Sorry, but I think you are over overreacting, no need to start a panic. Android/java apps have been like that forever and there are billions of them just like that. Google has always advised to write Android apps in Java (as C++ is A LOT heavier to maintain and a much more difficult to debug). This is not an B4X issue as the same can be said about Android Studio and many other tools, used by many Android developers. And with all do respect, everyone thinks his code is magic and unique. :D

As Informatix is pointing out, there are ways to help preventing such things, but there is always someone smarter than you who will be able to break it. Development is only a part of the process, marketing and customer support are the keys to a succesful app.
 
Upvote 0
Star-Dust

Star-Dust

Expert
Licensed User
Longtime User
alwaysbusy said:
As Informatix is pointing out, there are ways to help preventing such things, but there is always someone smarter than you who will be able to break it. Development is only a part of the process, marketing and customer support are the keys to a succesful app.
Click to expand...
I share, but I would like to point out that it is not strictly necessary to be smart to decompile an app, but just any free software.

I would say that it is enough for a developer who thinks he has cunning. And we know that not all people who have (or believe they have) cunning are intelligent. In fact, many of these tricks can also be easily discovered by trivial errors that an intelligent would not do ...:D
 
Last edited:
Upvote 0
MarkusR

MarkusR

Well-Known Member
Licensed User
Longtime User
HAH said:
This is really the second big problem when our apps decompiled ...
I have several b4a apps i invest in it a thousands of dollars, we success because of our magic code logic & workflow & we was unique. Now many developers decompile our apps , read & understand our code logics !! then they produce similar apps & start compete us hardly using our code logics & workflow !!!
We need more scenarios to protect our data & logics.
Click to expand...
in this case i think its better to limit the app access. with seeing the code logic i meant seeing the app forms and workflow only.
 
Upvote 0
You must log in or register to reply here.

Similar Threads

Erel
  • Locked
  • Article
Tool Ready to run SDK
Replies
0
Views
22K
Erel
Erel
Beja
  • Question
Android Question Is it possible to decompile an installed app?
Replies
12
Views
3K
MarcoRome
MarcoRome
M
  • Question
Android Question java.lang.NoClassDefFoundError on library
Replies
4
Views
5K
TOCC
TOCC
Erel
  • Article
Android Tutorial Code Obfuscation
2 3 4
Replies
60
Views
61K
vvg
vvg
warwound
Java Question Decompiled WebViewWrapper
Replies
2
Views
5K
warwound
warwound
Top