Hello everyone, I am placing next my anti-cracking\anti-reverse-
engineering function.
The idea of sharing this function is to allow other developers to get
its benefits, and also to get more ideas for improvement, and even
though exposing it to hackers makes it weaker, the idea is also that
the function should be tempered by developers before using it instead
of just copy/paste, and even split it into several functions to be
called across your application. At the end if a hacker wants to crack
your app, he will, but sure we can make it a bit harder.
For the CRC validation performed in the function follow the next
steps:
Export a signed package of your application the same as if you would
be getting ready to publish it. Rename the file extention .apk
to .zip, extract the "classes.dex" file.
Then use any internet CRC calculator tool with the extracted
"classes.dex" file, you can find many in google (i.e.:
http://www.createwindow.com/programming/crc32/crcfile.htm)
Copy the obtained CRC value, remember to convert this value to a Long,
as most of the these tools give you the value in HEX format.
Go back to your IDE and open any layout xml file, place this value as
the
tag of any element (i.e.: android:tag="4212136116").
Though you can really store the CRC value into other ways as an asset
file, etc. I encrypt this value before passing it and decrypt it at
runtime so is even harder for the hacker by not allowing him just to
copy his CRC value if he finds its location.
The idea is that before calling the function you should get back the
CRC value and pass it.
Is very important that you do not copy the CRC value into any of your
java code, if after the CRC calculation you temper on any way with
your code the CRC value will change and you will need to star this
process again.
Finally you only need to export the signed application again. The CRC
will still reamin the same for the classes.dex, but somewhere hidden
in your layouts you will have your CRC value to be validated by the
function.
As final note when developing the application do not call this
function or you will get crazy :)
So any comments and new ideas?
/**
* Validates the application integrity against reverse engineering.
* If the validation fails the the application is terminated
* automatically without warning.
*
* @param context
* Application context used for operations
*
* @param applicaionPackageName
* Original application package name, you should
* hard-code\encrypt this string and then pass it to this
function un-encrypted,
* do not use the java api to get this value.
*
* @param applicationCrc
* Application CRC value
*/
public static void dapplicationIntegrityCheck(final Context context,
final String applicaionPackageName,
final String applicationCrc)
{
// Check that the application package name has not changed
if (applicaionPackageName != context.getPackageName())
{
android.os.Process.killProcess(android.os.Process.myPid());
}
// Check that the debuggable flag is set to False
try
{
if (0 !=
(context.getPackageManager().getPackageInfo(context.getPackageName(),
PackageManager.GET_SIGNATURES).applicationInfo.flags &=
ApplicationInfo.FLAG_DEBUGGABLE))
{
android.os.Process.killProcess(android.os.Process.myPid());
}
}
catch (Exception ex)
{
Log.e("HelperFunctions", "Error checking debuggable
flag.", ex);
}
// Check that the debugger is not connected
if (Debug.isDebuggerConnected())
{
android.os.Process.killProcess(android.os.Process.myPid());
}
// CRC validation
try
{
ZipFile zipFile = new
ZipFile(context.getPackageCodePath());
ZipEntry zipEntry = zipFile.getEntry(new
String(Common.CLASS_DEX));
if (zipEntry.getCrc() !=
Long.parseLong(applicationCrc))
{
android.os.Process.killProcess(android.os.Process.myPid());
}
zipEntry = null;
zipFile = null;
}
catch (Exception ex)
{
Log.e("HelperFunctions", "Error checking crc.", ex);
}
// TO-DO:
// Check that the application name has not changed.
// Keep an encrypted string constant of the application
// name and then compare it with the application
// name string using the proper function to retrieve it
}
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
