https://kotlinlang.org logo
Channels
100daysofcode
100daysofkotlin
100daysofkotlin-2021
advent-of-code
aem
ai
alexa
algeria
algolialibraries
amsterdam
android
android-architecture
android-databinding
android-studio
androidgithubprojects
androidthings
androidx
androidx-xprocessing
anime
anko
announcements
apollo-kotlin
appintro
arabic
argentina
arkenv
arksemdevteam
armenia
arrow
arrow-contributors
arrow-meta
ass
atlanta
atm17
atrium
austin
australia
austria
awesome-kotlin
ballast
bangladesh
barcelona
bayarea
bazel
beepiz-libraries
belgium
benchmarks
berlin
big-data
books
boston
brazil
brikk
budapest
build
build-tools
bulgaria
bydgoszcz
cambodia
canada
carrat
carrat-dev
carrat-feed
chicago
chile
china
chucker
cincinnati-user-group
cli
clikt
cloudfoundry
cn
cobalt
code-coverage
codeforces
codemash-precompiler
codereview
codingame
codingconventions
coimbatore
collaborations
colombia
colorado
communities
competitive-programming
competitivecoding
compiler
compose
compose-android
compose-desktop
compose-hiring
compose-ios
compose-mp
compose-ui-showcase
compose-wear
compose-web
confetti
connect-audit-events
corda
cork
coroutines
couchbase
coursera
croatia
cryptography
cscenter-course-2016
cucumber-bdd
cyprus
czech
dagger
data2viz
databinding
datascience
dckotlin
debugging
decompose
decouple
denmark
deprecated
detekt
detekt-hint
dev-core
dfw
docs-revamped
dokka
domain-driven-design
doodle
dsl
dublin
dutch
eap
eclipse
ecuador
edinburgh
education
effective-kotlin
effectivekotlin
emacs
embedded-kotlin
estatik
event21-community-content
events
exposed
failgood
fb-internal-demo
feed
firebase
flow
fluid-libraries
forkhandles
forum
fosdem
fp-in-kotlin
framework-elide
freenode
french
fritz2
fuchsia
functional
funktionale
gamedev
ge-kotlin
general-advice
georgia
geospatial
german-lang
getting-started
github-workflows-kt
glance
godot-kotlin
google-io
gradle
graphic
graphkool
graphql
graphql-kotlin
graviton-browser
greece
grpc
gsoc
gui
hackathons
hacktoberfest
hamburg
hamkrest
helios
helsinki
hexagon
hibernate
hikari-cp
hire-me
hiring
hongkong
hoplite
http4k
hungary
hyderabad
image-processing
india
indonesia
inkremental
intellij
intellij-plugins
intellij-tricks
internships
introduce-yourself
io
ios
iran
israel
istanbulcoders
italian
jackson-kotlin
jadx
japanese
jasync-sql
java-to-kotlin-refactoring
javadevelopers
javafx
javalin
javascript
jdbi
jhipster-kotlin
jobsworldwide
jpa
jshdq
juul-libraries
jvm-ir-backend-feedback
jxadapter
k2-early-adopters
kaal
kafka
kakao
kalasim
kapt
karachi
karg
karlsruhe
kash_shell
kaskade
kbuild
kdbc
kgen-doc-tools
kgraphql
kinta
klaxon
klock
kloudformation
kmdc
kmm-español
kmongo
knbt
knote
koalaql
koans
kobalt
kobweb
kodein
kodex
kohesive
koin
koin-dev
komapper
kondor-json
kong
kontent
kontributors
korau
korean
korge
korim
korio
korlibs
korte
kotest
kotest-contributors
kotless
kotlick
kotlin-asia
kotlin-beam
kotlin-by-example
kotlin-csv
kotlin-data-storage
kotlin-foundation
kotlin-fuel
kotlin-in-action
kotlin-inject
kotlin-latam
kotlin-logging
kotlin-multiplatform-contest
kotlin-mumbai
kotlin-native
kotlin-pakistan
kotlin-plugin
kotlin-pune
kotlin-roadmap
kotlin-samples
kotlin-sap
kotlin-serbia
kotlin-spark
kotlin-szeged
kotlin-website
kotlinacademy
kotlinbot
kotlinconf
kotlindl
kotlinforbeginners
kotlingforbeginners
kotlinlondon
kotlinmad
kotlinprogrammers
kotlinsu
kotlintest
kotlintest-devs
kotlintlv
kotlinultimatechallenge
kotlinx-datetime
kotlinx-files
kotlinx-html
kotrix
kotson
kovenant
kprompt
kraph
krawler
kroto-plus
ksp
ktcc
ktfmt
ktlint
ktor
ktp
kubed
kug-leads
kug-torino
kvision
kweb
lambdaworld_cadiz
lanark
language-evolution
language-proposals
latvia
leakcanary
leedskotlinusergroup
lets-have-fun
libgdx
libkgd
library-development
lincheck
linkeddata
lithuania
london
losangeles
lottie
love
lychee
macedonia
machinelearningbawas
madrid
malaysia
mathematics
meetkotlin
memes
meta
metro-detroit
mexico
miami
micronaut
minnesota
minutest
mirror
mockk
moko
moldova
monsterpuzzle
montreal
moonbean
morocco
motionlayout
mpapt
mu
multiplatform
mumbai
munich
mvikotlin
mvrx
myndocs-oauth2-server
naming
navigation-architecture-component
nepal
new-mexico
new-zealand
newname
nigeria
nodejs
norway
npm-publish
nyc
oceania
ohio-kotlin-users
oldenburg
oolong
opensource
orbit-mvi
osgi
otpisani
package-search
pakistan
panamá
pattern-matching
pbandk
pdx
peru
philippines
phoenix
pinoy
pocketgitclient
polish
popkorn
portugal
practical-functional-programming
proguard
prozis-android-backup
pyhsikal
python
python-contributors
quasar
random
re
react
reaktive
realm
realworldkotlin
reductor
reduks
redux
redux-kotlin
refactoring-to-kotlin
reflect
refreshversions
reports
result
rethink
revolver
rhein-main
rocksdb
romania
room
rpi-pico
rsocket
russian
russian_feed
russian-kotlinasfirst
rx
rxjava
san-diego
science
scotland
scrcast
scrimage
script
scripting
seattle
serialization
server
sg-user-group
singapore
skia-wasm-interop-temp
skrape-it
slovak
snake
sofl-user-group
southafrica
spacemacs
spain
spanish
speaking
spek
spin
splitties
spotify-mobius
spring
spring-security
squarelibraries
stackoverflow
stacks
stayhungrystayfoolish
stdlib
stlouis
strife-discord-lib
strikt
students
stuttgart
sudan
swagger-gradle-codegen
swarm
sweden
swing
swiss-user-group
switzerland
talking-kotlin
tallinn
tampa
teamcity
tegal
tempe
tensorflow
terminal
test
testing
testtestest
texas
tgbotapi
thailand
tornadofx
touchlab-tools
training
tricity-kotlin-user-group
trójmiasto
truth
tunisia
turkey
turkiye
twitter-feed
uae
udacityindia
uk
ukrainian
uniflow
unkonf
uruguay
utah
uuid
vancouver
vankotlin
vertx
videos
vienna
vietnam
vim
vkug
vuejs
web-mpp
webassembly
webrtc
wimix_sentry
wwdc
zircon
Powered by
Title
b

Breaker ACT

03/10/2023, 10:13 AM
I think Android is vulnerable, the apk could be reversed and read the logic (not too easy but not too hard). Any idea to prevent the app logic/data ? There is few common way I see: 1. Wrap the logic in native code like C, Go and call from Java/Kotlin. But the hacker can use the .so file as the blackbox, they doesn't need care about the logic inside. They just put the input and get output. 2. Encrypt data. But the app have to decrypt to read the data. So attacker can read the reverse code from apk to re-procedure the decrypt logic 3. Put the data in remote source like firebase remote config... The attacker can use runtime tools like frida to read the pure data. So what you's solution to make the apk much possible much to be stolen data/logic ?
c

CLOVIS

03/10/2023, 10:18 AM
C/GO/etc can be reversed too. If you don't want an attacker to know your secrets, don't put them in the app. An attacker cannot reverse something that is only server-side.
b

Breaker ACT

03/10/2023, 10:18 AM
Okay. If we do not put the logic in the app, we gonna put it into server side. But attacker can use our API to get the data. What solution ?
c

CLOVIS

03/10/2023, 10:19 AM
If your API is well written, they cannot know anything more using it than they would know by using the app normally.
b

Breaker ACT

03/10/2023, 10:20 AM
What is the criterial to know API is well written or not ?
w

wbertan

03/10/2023, 10:20 AM
☝️ yeap, and you can pin your certificates to avoid man-in-the-middle situation.
b

Breaker ACT

03/10/2023, 10:20 AM
For me, I used to get data from many apps. It not too harrd
c

CLOVIS

03/10/2023, 10:21 AM
If you want to display information to a user, you can't stop that user from using it any way they want.
b

Breaker ACT

03/10/2023, 10:21 AM
SSL Pinning can be by passed easily by Frida
c

CLOVIS

03/10/2023, 10:22 AM
SSL pinning protects the user from an attacker server pretending to be the real one. It doesn't protect the real server from attackers pretending to be real users.
b

Breaker ACT

03/10/2023, 10:23 AM
If you want to display information to a user, you can't stop that user from using it any way they want.
Agree, we can not prevent user use it.
w

wbertan

03/10/2023, 10:24 AM
A year ago we had an introductory call with https://www.guardsquare.com/ They have some solutions for you to check and know if the app was tampered with, etc.
b

Breaker ACT

03/10/2023, 10:24 AM
@wbertan Thanks. I'm gonna learn it
c

CLOVIS

03/10/2023, 10:25 AM
Reading the main page, that's a bunch a marketing-speak. What does it do, exactly?
Point is, though, you cannot trust a client app. You can use tools to make it harder to tamper with, but someone will figure out a way. Attend any cyber-security convention and at least one talk will be about bypassing Google Play fingerprinting, etc.
w

wbertan

03/10/2023, 10:27 AM
They mention like injecting some random code in compilation time, so can check later for changes (not sure if they check the hash of the compiled code too) We were looking for the DexGuard.
c

CLOVIS

03/10/2023, 10:27 AM
Also, OP was asking about stopping users from knowing how it works, not stopping users from changing it (which is what GuardSquare attempts to do, if my understanding is correct)
e

ephemient

03/10/2023, 10:30 AM
this isn't even an Android-specific issue. anything on the client, whether it's an Android app, iOS app, desktop app, web app, is running in an environment outside of your control (unless you can control the hardware it runs on)
b

Breaker ACT

03/10/2023, 10:30 AM
I was see the way an app avoiding stolen data and logic. They put the logic behind C code with very complexity handle. (Maybe C can be reverse but with the huge of logic and cross function call inside). They take the input from app and return the bitmap to android to display 🙂
c

CLOVIS

03/10/2023, 10:31 AM
(even if you can control the hardware, there have been multiple attacks on ATMs where attackers know where to drill a whole to insert a USB stick)
e

ephemient

03/10/2023, 10:32 AM
all the logic in C code: that sounds just like a traditional desktop or iOS app, and those are definitely crackable with motivation
c

CLOVIS

03/10/2023, 10:32 AM
@Breaker ACT actually, it's the opposite. Reverse engineers tend to be more familiar with C/C++ than Java. Many popular reverse engineering frameworks don't even support Java (e.g. https://github.com/cea-sec/miasm)
b

Breaker ACT

03/10/2023, 10:35 AM
Reverse engineers will familiar with specific language they focus on. Just like our, we are Kotlin dev, but we still writing JS code. But the others will be expert on it.
It not the point
c

CLOVIS

03/10/2023, 10:36 AM
I mean, reverse engineers are often people who love understanding the low-level workings of computers. It's rare that they like high-level languages. Even Rust is too high-level for most of the ones I met, because the generics pollute the binaries.
But you're right, you shouldn't bet on it being rarer. I'm just saying writing something in C doesn't make it harder to reverse-engineering, and indeed I believe it makes it easier.
b

Breaker ACT

03/10/2023, 10:38 AM
Do you think Java is too easy to reverse, so the valuable reverse engineer will focus on C 😄 😄
c

CLOVIS

03/10/2023, 10:38 AM
maybe 😆
i

itnoles

03/11/2023, 2:32 AM
If they can read java bytecode, it is a piece of cake. As for String, it will be exposed no matter what.
s

srb9181

03/11/2023, 2:18 PM
@wbertan GuardSquure is costly solution as it charges 2$ per app install. For Java code obfuscation proguard with Minify enable can be used. For Kotlin code R8 (proguard rules are fully compatible with R8) can be used. For Resources obfuscation Resguard https://github.com/shwenzhang/AndResGuard can be used as its well maintained and open source project by we chat team. For root device protection Rootbeer can be used https://github.com/scottyab/rootbeer as its in recommendation of OWASP MAS. For mobile App security follow the OWASP security guidelines and testing https://mas.owasp.org/
m

Michael Vandendriessche

03/14/2023, 10:27 AM
Not sure how this space progressed over the years but in 2015 we put some secret code in C or C++. It is not 100% secure, like mentioned above, and nothing is. But it is definitely an extra hurdle to overcome. Anyone who is not scared of code with a few hours time can decompile a java app and find some useful things in it. Another advantage of putting it in the backend is that you can monitor who accesses this data. If it is purely client side you won't necessarily get those statistics. Interesting discussion, thank you everyone!
j

James Hamilton

03/14/2023, 2:59 PM
I'm a software engineer at Guardsquare, working mainly on DexGuard & ProGuard: happy to answer any technical questions about these. Regarding the pricing model: it's different than as described above; our pricing has fixed prices based on wide tiers of downloads, not a per app install pricing model. For more details about pricing, it's best to connect with sales though as I don't know any further details (https://www.guardsquare.com/request-pricing). Regarding ProGuard and R8: it should be noted that these only provide name obfuscation, shrinking & optimization and their primary purpose is shrinking & optimization; they don't provide any code obfuscation/string encryption/RASP checks etc.