Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to secure the assets stored in Android APK

Tags:

android

assets

i believe this question is already asked but i am not satisfied with their answers and posting it again here.

can someone please tell me how to safeguard my android app assets from copy cats who want to build similar app?

like image 648
Yogamurthy Avatar asked Aug 09 '13 16:08

Yogamurthy


2 Answers

As always there is a trade-off between convenience and security. The more secure you want your app the less convenient it will be for you to develop.

The source code is inherently insecure due to ease of decompiling especially with rooted phone. To protect your source code you can obfuscate and/or encrypt your code which will prevent decompiling. Not exactly sure what tools are available for Android, but I am sure it will complicate your build process. If you just obfuscate, decompiling may still be possible, but will be much more difficult and will likely require the person attempting to decompile your code to know and understand Bytecode if a strong level of obfuscation is used.

To protect your assets, I believe your only option is to use encryption. Again this will complicate the app and/or build process depending on where you implement.

Even if you use encryption to protect your assets, you must protect the encryption key within your source code. Obviously, it does not matter what encryption scheme you use if your encryption key is in plaintext in the source code then anybody can grab the key and your asset and decrypt. All this does is add one more small fence to jump over.

However, if you correctly protect the encryption key and use a good encryption algorithm you should have less to worry about. This is a fairly complicated process though, it is difficult to use a key for encryption within your code and not keep it in plaintext. Even if you don't keep it in plaintext within the code, at some point it must be in memory to perform decryption. So if somebody can attach a debugger or dump memory at the right time, it will compromise the key. Of course, this requires a much more skilled adversary.

Overall, you need to decide exactly who you are worried about stealing your assets. If you are worried about the average Joe copying them, then you should be ok. If you are worried about a professional hacker, script kiddie, etc. gaining access to them then you are probably out of luck.

like image 85
kalelien Avatar answered Sep 22 '22 14:09

kalelien


can someone please tell me how to safeguard my android app assets from copy cats who want to build similar app?

Generally, you can't. If it's in the app, anyone who wants to can get to them.

You are welcome to roll your own encryption scheme, or use tools like DexGuard. However, since the decryption engine and key must be in the app itself, all these do is increase the level of effort required to get to your assets. Making it more difficult will reduce the odds that somebody grabs the assets out of your APK, but it does not prevent the possibility. And, of course, there are other ways to get at much of this stuff (e.g., screenshots and image editors, recording audio played back by the app).

like image 23
CommonsWare Avatar answered Sep 22 '22 14:09

CommonsWare