How To Secure Android App Code


Benefits Of Uploading An App Bundle

Secure Android Apps (Anti Reverse Engineering)

With Android app bundles you only need to build, sign, and upload a single artifact in order to support optimized APKs for a wide variety of device configurations. Google Play then manages and serves your apps APKs for you. As a result, you dont need to manage different versions of app builds for each combination of ABI, screen density, and locale that you want to support. Also, by using Android app bundles, you can benefit from ongoing improvements that are added to the delivery process.

Compared to APKs, app bundles:

  • Have smaller download sizes and smaller size on disk
  • Can use uncompressed native libraries that are stored on the APK instead of the users device, which can lower download sizes, the size on disk, and installation times
  • Serve users the functionality and configurations they need on-demand, instead of during installation
  • Simplify build and release management by removing the need to build and publish multiple APKs

Some Text Files Generated With Proguard Enabled

When you build an APK with ProGuard enabled, there are additional output text files are created. The files are:

dump.txt describes the internal structure of all the class files in the APK.

mapping.txt provides a translation between the original and obfuscated class, method, and field names. You must have to upload it at different places like PlayStore Console for seeing the original stack-trace of the crashes.

seeds.txt lists the classes and members that were not obfuscated.

usage.txt lists the code that was removed from the APK.

These files are saved at app/build/outputs/mapping/release/

[{ After uploading our release apk we can see crash report that contained class name, method name etc if there is a crash. But if we obfuscate our codes with proguard, you know class name, method name will be changed. So it will very difficult/impossible to read that crash. So what should we do ?

There is a easy solution. just upload the mapping.text file in playstore with your apk and Google will handle everything. To upload you mapping.text file follow the below process}]

  • Sign in to your Play Console.
  • Select your app.
  • On the left menu, click Android vitals> Deobfuscationfiles.
  • Next to a version of your app, click Upload.
  • Upload the ProGuard mapping.txtfile for the version of your app.
  • Creating And Configuring An Auth0 Account

    For starters, if you don’t have one yet, you can now . After that, go to the Applications section of your Auth0 dashboard and click on Create Application.

    When you click on this button, Auth0 will show you a dialog where it will ask you for two things:

    • Name: Here, you can type an identifier for your application .
    • Application Type: Here, you will have to choose “Native”.

    After filling in this form, click on the Create button. Doing so will make Auth0 redirect you to the Quick Start section of your new application. From there, head to the Settings section, and search for the Allowed Callback URLs field. In this field, insert the following value:

    • to-do://< YOUR-AUTH0-DOMAIN> /android/com.auth0.todo/callback

    Note: You will have to replace < YOUR-AUTH0-DOMAIN> with the value available on the Domain property of your new Auth0 Application . Also, if you have chosen to use a package name different than com.auth0.todo, you will have to change that too.

    The authentication process at Auth0 happens on a . That is, when your app starts the authentication process, it will open the login page in a browser and, after the authentication takes place, will redirect your user back to your app. This redirection works because your app will register a deep link in the Android device. Then, as you will configure Auth0 to call this deep link, the device will know that it has to open your app again .

    Don’t Miss: Free Rpg Games For Android

    How To Make Android As Secure As Possible

    Cameron Summerson is ex-Editor-in-Chief of Review Geek and served as an Editorial Advisor for How-To Geek and LifeSavvy. He covered technology for a decade and wrote over 4,000 articles and hundreds of product reviews in that time. Hes been published in print magazines and quoted as a smartphone expert in the New York Times. Read more…

    Mobile security is a big deal, probably now more than ever. Most of us live on our phones, with financial information, calendar appointments, family photos, and more stored on our devices. Heres how to keep your Android phone secure.

    How Code Obfuscation And Remediation Assist In Mobile App Security

    Google Authenticator app doesn

    As soon as any app goes public, so does its source code. Being a developer, you would never want any threat actor to review your code and start tampering with your application. They might even repackage the app with some malicious code.

    In order to avoid such problems, the techniques of code obfuscation and remediation come into the picture. These two methods prevent hackers from reverse engineering your app and understand the business logic and code. They also erase the potential loopholes in the code to ensure your apps security at all times.

    You May Like: Can Iphone Video Chat With Android

    Jvm The Primordial Magic

    The original source code is readable to human beings developers and hackers in particular while Java Bytecode is not readable to humans. Bytecode looks encrypted at a glance. But Java Bytecode is NOT encrypted, and this is one of the most important factors in our discussion on Android source code security.

    In fact, it is with unguarded Java Bytecode that the rebuilder finds a first point of entry an obscure door to wedge a digital foot into. And this is also where the dreaded decompiler makes a foray. But lets have a few more details about the next step in the normal development cycle before we study the deviants!

    After our app source code is compiled to Java Bytecode it is now fully portable, which means that our app will run on any device with a JVM the Java Virtual Machine. The JVM is the primordial magic which gives rise to universal compatibility for Android devices.

    However, this universality also means that Android apps are familiar territory to hackers. And the fact that Android OS is also open source means that hackers and rebuilders know a lot about the standard and default characteristics of our apps before we even write the first line of source code! This likewise implies Android APK security concerns. Code from Android APK is also familiar ground to rebuilders. We must also remember that Java itself is an older language compiler which does not manifest the most modern security concepts

    Store Private Data Within Internal Storage

    Store all private user data within the device’s internal storage, which issandboxed per app. Your app doesn’t need to request permission to view thesefiles, and other apps cannot access the files. As an added security measure,when the user uninstalls an app, the device deletes all files that the app savedwithin internal storage.

    Note: If the data that you’re storing is particularlysensitive or private, consider working withEncryptedFileobjects, which are available from the Securitylibrary, instead of File objects.

    The following code snippet demonstrates one way to write data to storage:

    Also Check: Best Ai Assistant For Android

    Settings That Protect Work Files

    The following settings are available to protect work files if a user’s device is lost or stolen:

    Delete work files from an inactive device after this many daysIf a device isn’t used for the number of days that you specify here, any work files stored on the device will be deleted automatically.
    Force users to save all work files to OneDrive for BusinessIf this setting is On, the only available save location for work files is OneDrive for Business.
    Encrypt work filesKeep this setting On so that work files are protected by encryption. Even if the device is lost or stolen, no one can read your company data.

    How To Make Apk Secure Protecting From Decompile

    How to set Lock Code for individual apps on Android

    I am developing an application that has SQLite database to store personal information that must be protected. What are some ways of protecting these personal data? An APK can easily be de-compiled completely, so how can we secure an APK? Additionally, how can a database of a mobile application be protected?

    Basically, there are 5 methods to protect your APK being cracking/ reversing/ repackaging:

    Don’t Miss: Which Android Phone Has The Largest Screen

    Convert To Native Codes

    Convert program to native codes is also an effective way to prevent decompilation. Because native codes are often difficult to be decompiled. Developers can convert the entire application to native codes, or they can also convert only key modules. If just convert key part of the modules, it will need JNI technology to call when Java programs are using these modules. It abandoned Java’s cross-platform feature when using this mothod to protect Java programs. For different platforms, we need to maintain different versions of the native codes, which will increase software support and maintenance workload. But for some key modules, sometimes this solution is often necessary. In order to guarantee these native codes will not be modified or replaced, developers often need to digitally sign these codes. Before using these native codes, developers often need to authenticate these local codes to ensure that these codes have not changed by hackers. If the signature check is passed, then developers can call relevant JNI methods.

    Syntax Of Writing Proguard

    There are different ways to keep option that you can use to configure Proguard:

    -keep : keep classes and class members.

    -keepclassmembers : keepclass members only.

    -keepclasseswithmembers : keep classes and class members, if class members present.

    For more info see here.

    • To exclude a class from obfuscation, Keep the attributes of InnerClasses, keep your class and keep the class members of the class. For example:
     -keepattributes InnerClasses -keep class com.yourproject.YourClass** 
    • To exclude all class of a specific package from obfuscation use the following configuration.
    -keep public class com.yourproject.yourpackage.*
    • To exclude all public class of a specific package and its sub packages from obfuscation use the following configuration.
    -keep public class com.yourproject.yourpackage.**
    • To exclude all public/protected/private classes/fields/methods of a specified package and its sub packages use the following configuration.
    -keep public class com.yourproject.yourpackage.** 

    Read Also: Convert Android App To Ios Using Phonegap

    Tips To Secure Your Flutter Mobile Apps

    Most of us depend on our devices daily for almost everything we do. Whether it’s for taking photos of our WFH setup, ordering food, shopping online, and banking, a lot of us do this using our mobile phones.

    With the increasing number of digital products and services we use, so as the data stored in our devices, this, in turn, increases the risk of security exploit or exposure of data to motivated attackers.

    As developers, we should ask ourselves, “How can we mitigate the risk of a security exploit and protect the data of our users?”.

    I am not a security expert but I do have experience building and shipping apps to millions of users with little to no security breaches at all. Also, I currently build mobile banking apps for a FinTech company using Flutter.

    Use Binder And Messenger Interfaces

    How to Set Passcode Lock in Telegram App on Android?

    Using Binder or Messenger is thepreferred mechanism for RPC-style IPC in Android. They provide a well-definedinterface that enables mutual authentication of the endpoints, if required.

    You should design your app interfaces in a manner that does not requireinterface-specific permission checks. Binder andMessenger objects are not declared within theapplication manifest, and therefore you cannot apply declarative permissionsdirectly to them. They generally inherit permissions declared in theapplication manifest for the Service or Activity within which they areimplemented. If you are creating an interface that requires authenticationand/or access controls, you must explicitly add those controls as code in the Binder or Messengerinterface.

    If you are providing an interface that does require access controls, use checkCallingPermissionto verify whether thecaller has a required permission. This is especially importantbefore accessing a service on behalf of the caller, as the identity of yourapplication is passed to other interfaces. If you are invoking an interface providedby a Service, the invocation may fail if you do not have permission to access the given service. If calling an interface provided locally by your own application, it may beuseful to use the clearCallingIdentitymethod, which masks the caller permissions against the app’s permissions, tosatisfy internal security checks. You can restore the caller permissions laterby using therestoreCallingIdentitymethod.

    Also Check: What Is The Best And Cheapest Android Phone

    How To Protect Source Code While Android Development

    I decompiled an android apk with dex2jar just now. The package name and class name has been shorten like the screenshot.

    I want to konw how to do that.

    PS: I use Android Studio IDE.

    • After reverse-engineering a dozen apps I would say that obfuscation makes it harder to examine the source code. But not hard enough to stop you from doing it. user468311May 21, 2014 at 10:36
    • Check out this It helps you.

    The only point in code obfuscation at development time is to check that the obfuscation doesn’t break anything. Beside this, the component that manage the obfuscation is the ProGuard:

    The ProGuard tool shrinks, optimizes, and obfuscates your code by removing unused code and renaming classes, fields, and methods with semantically obscure names. The result is a smaller sized .apk file that is more difficult to reverse engineer. Because ProGuard makes your application harder to reverse engineer, it is important that you use it when your application utilizes features that are sensitive to security like when you are Licensing Your Applications.

    To enable it in android studio:

    Note: When using Android Studio, you must add Proguard to your file’s build types. For more information, see the Gradle Plugin User Guide.

    How Codemagic Helps Keep Your Project Secure

    Using Codemagic, you can easily encrypt sensitive values and files and store them securely in the environment variables of the configuration file . Encrypting any file on Codemagic automatically encodes it to base64 format so that you have to decode the file during the build before using it.

    Codemagic gives you access to encrypt variables both with a personal account and with a Team account. Codemagic generates the encrypted variables on a per-app basis.

    For security reasons, encrypted environment variables only work on the account on which they were created. When moving an app from your personal account to a team, or from one team to another, you should re-encrypt the variables.

    Members of a team account can have three types of user roles:

    • Owner: Can select the repositories to be shared with the team, invite new team members, change their roles or remove existing members , and manage team integrations and billing.

    • Member: Has access to the Codemagic UI and can view team settings, configure app settings and trigger new builds. Members cannot modify any team settings, billing details or repository settings other than the app name.

    • User: Can trigger builds from a webhook but does not have access to the team in the Codemagic UI.

    These roles in Codemagic Teams make it easier to keep any sensitive credentials secure and make the project more manageable.

    Follow along to learn in detail how to build and release your Android projects securely.

    You May Like: Android App To Send Fax For Free

    Proper Management Of The Session

    Session processing is an essential characteristic of the in-app building, which requires additional caution since portable meetings usually are longer than the desktop session.

    Session control in the event of a robbed and damaged device should be performed to preserve the safety and not identifiers with the aid of tokens.

    Handling The Authentication Process

    Tapplock One Smart Padlock – Morse Code Setup From The Android App

    After defining some important pieces of your menu, the next thing you will do is to create the two central pieces of the identity management solution of your app. For starters, create a package called identity inside com.auth0.todo. Then, inside this package, create a class called AuthenticationHandler with the following code:

    Don’t get scared by the verbosity of this class, nor by the errors that the IDE shows regarding not knowing what AuthAwareActivity stands for . The AuthenticationHandler class is a bit big, but it is easy to demystify. Here you can check a list with the most important details that you must be aware of:

    As you can see, this class will do the heavy lifting for you when it comes to authentication and identity management.

    Now, you will create another important class: AuthAwareActivity. Create this class inside the com.auth0.todo.identity package and add the following code to it:

    The main purpose of creating this class is to define a common behavior for the activities of your Android app. In this case, you are defining that you want all the subclasses of this class to create an instance of AuthenticationHandler. Also, you are defining that these activities will have a menu that shows either a login or a logout button depending on the result of a call to hasValidCredentials.

    Recommended Reading: Does Android Have A Digital Wallet

    Using Applock Or Any Locking App Is Pretty Simple:

    • Open the app, and when prompted, input a password to use with individual apps. Make sure its not the same as the passcode you use to lock your phone.
    • Give AppLock permission to open on top of other apps when prompted .
    • Select an app you wish to lock with the passcode youve created while inside AppLock, then tap the Lock button.
    • Youll be notified that the lock was successful. Try to open that app to confirm.

    We like AppLock because it can enable fingerprint locking to protect individual apps in addition to a passcode. It also offers a cleaner that can free up storage space on your phone.

    A battery saver within it can help you save power and extend your battery life, a cooler to keep your phones CPU at a safe temperature, and a booster to improve your phones speed. Tap or click for other ways of increasing your Android phones speed.

    If you want to lock apps to be more productive or more secure, and you dont need bells and whistles, we have other apps we like as well:

    Share post:


    More like this

    How To Create Resume On Android Phone

    Build Free...

    What Is Digital Secure App On Android

    Best Password...

    Sign Documents On Android Phone

    How To...

    Remote Control Android Phone Over Wifi

    Best Remote...