Reverse Engineering an App & enabling Proguard – Android Security

Let’s Reverse Engineer an Android App

Did you obfuscate app before releasing your APK file to the Playstore?

Please make sure you do, otherwise, consider that anyone can reverse engineer your app source code. Just as a matter of fact, I recently had to reverse engineer an APK. Why? Our partner who developed our app did not want to give us the source code which we legally owned. Fortunately, we only used it to troubleshoot an issue with the app.

Indeed, the process to get the source code from an unprotected APK is quite straightforward.

– Download the APK file

The first step is to obtain the APK file. Search for the APK of the app from this website https://apkpure.com.

– Use deobfuscation tools to reverse engineer the APK file

We will use an online tool: http://www.javadecompilers.com/apk. For e.g, after uploading the MyEmtelApp APK into javadecompilers.com,  we can see all extracted source codes:

Screen Shot 2019-01-30 at 9.23.57 PM.png

We can basically obtain everything from sources folder (Java codes) to resources (string.xml files, layout files). For example, in the MyEmtelApp above listed is all the packages in the app module. Indeed, if we go into each package, we will obtain the complete source code for each class. Thankfully, we can choose to secure the APK file without too much effort. There exists various options but we will be using Proguard tool in our example.

Securing your code

As we have seen the side effect of not using proguard, let’s now look at the effort required to protect your APK.

will also remove unused code and also optimises the byte code, thereby reducing the size of APK build. However, we cannot obfuscate all code in our app, this may usually cause unexpected behaviors. It is critical to test (or retest) any release build whenever proguard is enabled.  To prevent issues, we will need to explicitly tell proguard which code NOT to obfuscate and this is usually done in the ‘proguard-android.txt’ file. Let’s see the process to enable proguard in Android Studio:

a) Enable Proguard for RELEASE build:

  • Open build.gradle of the app module.
  • Update the “buildTypes” for the release build as below:
    Screen Shot 2019-01-30 at 5.31.55 PM.png
  • Add the line minifyEnabled true
  • Add the line to set the proguard rules:

proguardFiles getDefaultProguardFile(‘proguard-android.txt’), ‘proguard-rules.pro’

After updating the gradle file, try to generate a release APK. You may get some warnings which is normal. If you find errors like “ClassNotFoundExceptions“, you will need to update your proguard rules which we are now going to discuss.

b) Add proguard Rules!

Proguard will obsfuscate all your code which may cause some issues. You must update your proguard rules file to prevent potential app crashes.
First, locate the file “proguard-rules.pro”:
Screen Shot 2019-01-30 at 7.08.58 PM.png
In the file, proguard-rules.pro we will add the lines below for all errors ClassNotFoundExceptions, MethodNotFoundException, FieldNotFoundException which we got when building the release APK in the previous section:
-keep class {MISSING_CLASS_PACKAGE_NAME.**}
-dontwarn {MISSING_CLASS_PACKAGE_NAME.**}

 

What classes we need to keep?

Usually we have to add the keep annotation for all classes which uses reflection. These are classes which are Serialized and Deserialized to transform an object of class into another format. E.g, Data classes in HTTP requests; turning JSON objects into data objects.  This is required because Android/JRE needs to access the class at runtime to compute how to transform the object.

If you do not add @keep annotation, you will find your models will no represented in the proper format after Serializing/Deserializing. Below is an example how to add exception into proguard-rules.pro file to prevent models in “myapp.com” package from being obfuscated.

-keep class myapp.com.model.** { *; }  -> simply means all classes inside model package will not be obsfuscated as we need to keep data models which are serialised.

# Application classes that will be serialized/deserialized over Gson, keepclassmembers
-keep class myapp.com.model.** { *; }
-keepclassmembers class myapp.com.model.** { *; }

 

Consequently, there are external libraries which requires proguard exception. E.g all libraries which uses reflection, e.g Gson, OKHttp, ROOM Dao, Firebase.

# For using GSON @Expose annotation
-keepattributes *Annotation*

#bottom navigation
-keep public class android.support.design.widget.BottomNavigationView { *; }
-keep public class android.support.design.internal.BottomNavigationMenuView { *; }
-keep public class android.support.design.internal.BottomNavigationPresenter { *; }
-keep public class android.support.design.internal.BottomNavigationItemView { *; }

#OKHTTP
-keep class com.squareup.okhttp.** { *; }
-keep interface com.squareup.okhttp.** { *; }
-dontwarn com.squareup.okhttp.**
-keep class com.android.okhttp.** { *; }

#Android Room
-keep class myapp.com.persistence.** { *; }
-dontwarn android.arch.util.paging.CountedDataSource
-dontwarn android.arch.persistence.room.paging.LimitOffsetDataSource

 

After adding all the required @keep and @dontwarn annotation, you should build and run your release APK without any issue. This should prevent easy deobfuscation of your app through various reverse engineer techniques. Note that this will also help reduce your APK size. That will be all for this blog post. I hope this helps you to better understand to better secure your APK. Feel free to comment if you encounter any issue.

Follow my blog for more tips & tricks when developing your mobile apps.

 

 

Please Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s