Do you know following things about Android?
Who can see application's code?
If not properly protected – just about anybody can! Android applications are run client-side, which means that the actual code for the application is downloaded onto the user's mobile device.
What they can see if not protected?
If not properly protected, decompiled code can potentially reveal usernames and passwords to back-end databases. This means that anyone could have access to your sensitive data.
How did they do it?
Through a process called 'de-compilation', hackers can use simple tools to reverse engineer your app, reproducing the original source code.
Mobile app development and IT services company RIIS has released a new security tool designed to prevent Android de-compilation by hackers on mobile devices
HoseDex2Jar is similar to HoseMocha which appeared in the late 1990's. Like HoseMocha, HoseDex2Jar is a simple tool that adds some instructions to the classes.dex file that Dex2Jar can not process. HoseDex2Jar is currently available on http://www.decompilingandroid.com.
Developers can take steps such as using tools like ProGuard to obfuscate their code, but up until now, it has been impossible to prevent someone from decompiling an app,” said Godfrey Nolan, RIIS president. ”We realized if there was a way to stop Dex2Jar, we would stop all Android de-compilation. HoseDex2Jar does just that. It stops Dex2Jar by inserting harmless code in an Android APK that confuses and disables Dex2Jar and protects the code from de-compilation.
“To crack an Android app, hackers can download the app on another machine (e.g., Mac) and run a tool (e.g., apktool) to unpackage the app and disassemble its Dalvik bytecode,” the report notes. Dalvik is the process virtual machine in Google Android's operating system.
“They analyze the disassembled code or use tools (e.g., dex2jar and a Java de-compiler) to decompile Dalvik bytecode to Java source code and analyze the source code,” the report continues. “They can make changes to disable license checks (or other modifications) and repackage the app and resign it.”
According to RIIS, the new tool represents a step forward in protecting applications from this kind of behavior.
White Paper published by RIIS at http://decompilingandroid.com/Code_Audit_White_Paper.pdf
Download source code at GitHub.