Reverse Engineering an App & enabling Proguard – Android Security

Let’s Reverse Engineer an Android App

Did you obfuscate app before releasing your APK file to the Playstore?

Please make sure you do, otherwise, consider that anyone can reverse engineer your app source code. Just as a matter of fact, I recently had to reverse engineer an APK. Why? Our partner who developed our app did not want to give us the source code which we legally owned. Fortunately, we only used it to troubleshoot an issue with the app.

Indeed, the process to get the source code from an unprotected APK is quite straightforward.

– Download the APK file

The first step is to obtain the APK file. Search for the APK of the app from this website https://apkpure.com.

– Use deobfuscation tools to reverse engineer the APK file

We will use an online tool: http://www.javadecompilers.com/apk. For e.g, after uploading the MyEmtelApp APK into javadecompilers.com,  we can see all extracted source codes:

Screen Shot 2019-01-30 at 9.23.57 PM.png

We can basically obtain everything from sources folder (Java codes) to resources (string.xml files, layout files). For example, in the MyEmtelApp above listed is all the packages in the app module. Indeed, if we go into each package, we will obtain the complete source code for each class. Thankfully, we can choose to secure the APK file without too much effort. There exists various options but we will be using Proguard tool in our example.

Securing your code

As we have seen the side effect of not using proguard, let’s now look at the effort required to protect your APK.

will also remove unused code and also optimises the byte code, thereby reducing the size of APK build. However, we cannot obfuscate all code in our app, this may usually cause unexpected behaviors. It is critical to test (or retest) any release build whenever proguard is enabled.  To prevent issues, we will need to explicitly tell proguard which code NOT to obfuscate and this is usually done in the ‘proguard-android.txt’ file. Let’s see the process to enable proguard in Android Studio:

a) Enable Proguard for RELEASE build:

  • Open build.gradle of the app module.
  • Update the “buildTypes” for the release build as below:
    Screen Shot 2019-01-30 at 5.31.55 PM.png
  • Add the line minifyEnabled true
  • Add the line to set the proguard rules:

proguardFiles getDefaultProguardFile(‘proguard-android.txt’), ‘proguard-rules.pro’

After updating the gradle file, try to generate a release APK. You may get some warnings which is normal. If you find errors like “ClassNotFoundExceptions“, you will need to update your proguard rules which we are now going to discuss.

b) Add proguard Rules!

Proguard will obsfuscate all your code which may cause some issues. You must update your proguard rules file to prevent potential app crashes.
First, locate the file “proguard-rules.pro”:
Screen Shot 2019-01-30 at 7.08.58 PM.png
In the file, proguard-rules.pro we will add the lines below for all errors ClassNotFoundExceptions, MethodNotFoundException, FieldNotFoundException which we got when building the release APK in the previous section:
-keep class {MISSING_CLASS_PACKAGE_NAME.**}
-dontwarn {MISSING_CLASS_PACKAGE_NAME.**}

 

What classes we need to keep?

Usually we have to add the keep annotation for all classes which uses reflection. These are classes which are Serialized and Deserialized to transform an object of class into another format. E.g, Data classes in HTTP requests; turning JSON objects into data objects.  This is required because Android/JRE needs to access the class at runtime to compute how to transform the object.

If you do not add @keep annotation, you will find your models will no represented in the proper format after Serializing/Deserializing. Below is an example how to add exception into proguard-rules.pro file to prevent models in “myapp.com” package from being obfuscated.

-keep class myapp.com.model.** { *; }  -> simply means all classes inside model package will not be obsfuscated as we need to keep data models which are serialised.

# Application classes that will be serialized/deserialized over Gson, keepclassmembers
-keep class myapp.com.model.** { *; }
-keepclassmembers class myapp.com.model.** { *; }

 

Consequently, there are external libraries which requires proguard exception. E.g all libraries which uses reflection, e.g Gson, OKHttp, ROOM Dao, Firebase.

# For using GSON @Expose annotation
-keepattributes *Annotation*

#bottom navigation
-keep public class android.support.design.widget.BottomNavigationView { *; }
-keep public class android.support.design.internal.BottomNavigationMenuView { *; }
-keep public class android.support.design.internal.BottomNavigationPresenter { *; }
-keep public class android.support.design.internal.BottomNavigationItemView { *; }

#OKHTTP
-keep class com.squareup.okhttp.** { *; }
-keep interface com.squareup.okhttp.** { *; }
-dontwarn com.squareup.okhttp.**
-keep class com.android.okhttp.** { *; }

#Android Room
-keep class myapp.com.persistence.** { *; }
-dontwarn android.arch.util.paging.CountedDataSource
-dontwarn android.arch.persistence.room.paging.LimitOffsetDataSource

 

After adding all the required @keep and @dontwarn annotation, you should build and run your release APK without any issue. This should prevent easy deobfuscation of your app through various reverse engineer techniques. Note that this will also help reduce your APK size. That will be all for this blog post. I hope this helps you to better understand to better secure your APK. Feel free to comment if you encounter any issue.

Follow my blog for more tips & tricks when developing your mobile apps.

 

 

Review ‘Strapi’ as CMS/API solution for mobile apps

If you need a quick and easy solution for your backend APIs + a CMS, I would recommend you to have a look at Strapi.io. The solution near zero coding to get started.

The project comes by default with APIs for Login, forget password, Registration, Login via Social Medias. All the APIs are secured OAuth. Another great feature is that you can create your schemas which can include relationships, and media type from the Admin portal itself (from web interface).  Based on the defined schemas, Strapi will automatically generate APIs to:

  1. Get a list of all objects from any schema (including nested objects/relationships)
  2. Search for one object based on its ID
  3. Count the number in any schema/table
  4. Create a new object for any schema
  5. Updated a record
  6. Delete a record

 

The CMS generated has a clean design, very easy to use on Desktop. Of course you can modify or add any APIs or the CMS interface. The generated APIs using NodeJS and the CMS uses React.JS. All React codes for the CMS web interface is store inside of “admin” folder while all of the APIs generated is stored inside of api folder.

 

There are a few downside:

Strapi is still in Alpha stage; some features may not work properly. I recently found out that fields of type images of child objects are not properly populated from APIs. However I found solution from their github which required a few modification in generated codes.

Strapi CMS is not responsive for mobile and is pretty much limited for Desktop only.

 

For more details, checkout Strapi official website: https://strapi.io

 

Best Regards

Enjoy

Sharing Printer in Ubuntu

Sharing printer in a LAN (to Windows machine or virtualbox) from a Ubuntu host machine.
1. Setup Samba:
sudo apt-get install system-config-samba.
Launch “Samba” from the launcher
Open “Preferences” > “Server Settings” and enter the work group name used in Windows.

2. Share printer:
Go to http://localhost:631/admin/ and check the box “Share printers connected to this system”.
Go to http://localhost:631/printers/ and check that the expected printer is listed.
Click the printer and check that it is listed as “Idle, Accepting Jobs, Shared, Server Default”.

3. Connect the printer:
Either:
On the Windows computer or (e.g VirtualBox), open Windows Explorer and go to the “Network” item. There’s an icon for the Ubuntu computer; open it. There’s an icon for the printer shared from Ubuntu. Right-click that one and select “Connect…”.

Or:
On the Windows computer, select “Add new printer” then “Connect to a printer on the Internet or network” and specify the full path of “http://{computername}:631/printers/{printername}”

postgresql “New Server Registration” connection problem on ubuntu?

“connection error” or “authentication problem” when trying to register a new server in pgAdmin III?

(ubuntu or xubuntu)

This post shows how to obtain & setup the “Host”, “Port”, “Username”, and “Password” of postgresql.

1) Obtain default port.  To do that, open up /etc/postgresql/x.xversion/main/postgresql.conf

See “port= 5432”. You may change the port used by postgresql.

postgresblog

2) Obtain Host.

Search the listen_addresses. For instance, here 'localhost' is my defaut host. You may alter the host here.

3) Change password.

Open terminal.

———————————————–

~$: psql -d postgres -U postgres

psql (9.1.3) Type "help" for help.
postgres=# alter user postgres with password 'mynewpassword'; ALTER ROLE
postgres=# q
~$:sudo /etc/init.d/postgresql restart
———————————————————-
Now you can run pgAdminIII. On form New Server Registration, set ‘Username’ to “postgres”, type in password you entered before, and the field ‘Name’ is up to your choice.