— — — — — — — — — — — — — — — — — — — — — — — — — — — — I’m a preface line — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
What is the APK? You probably know what Android projects are packaged up to run on your phone, but it’s hard to figure out exactly what’s inside the APK.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — I’m decompiling jun — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — –
apk
APK stands for AndroidPackage, the Android Installation Package. Package the android SDK compiled projects into an installation file in apK format. The APK file is actually in ZIP format, but the suffix has been changed to APK. We can change the suffix from.apk to.zip. Then unpack it.
The apk suffix is changed to zip
Decompress the compressed package with the suffix changed
Decompressed file structure
- Meta-inf \; meta-inf \;
- Res \ (note: directory for storing resource files);
- Androidmanifest.xml (note: program global configuration file);
- Classes. dex (Dalvik bytecode);
- Resources.arsc (note: compiled binary resource file).
Under the RES directory we can see various resources,
Res directory
Image resources such as drawable-hdpi and other directories can be directly viewed under the image file, you can directly take out their own use. However, some XML files, such as testitem. XML file in the layout directory, will be bytecode when opened and cannot be used directly. (The files starting with ABC and Notification are not those written by the developer and can be ignored)
XML file under Layout
So when I see excellent APK on the Internet, I can only extract a picture, some layout, code, and can not be used for reference? Can’t you just see what someone else is writing? The answer, of course, is NO. (A wave of forced anger B)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — begin to start formal — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Introduce our main character
1.apktool
Apk parses third-party tools for installation.
Mac OS X:
- Download Mac wrapper script (Right click, Save Link As apktool)
- Download apktool-2 (find newest here)
- Rename downloaded jar to apktool.jar
- Move both files (apktool.jar & apktool) to /usr/local/bin (root needed)
- Make sure both files are executable (chmod +x)
- Try running apktool via cli
Let me give you a general explanation in English: 3 change the name of the file. 4 Place the downloaded files in the specified directory (command+shift+g). 5 Change the permission of the downloaded files. Execute chomd +x in terminal to modify, 6. Then execute apktool
The downloaded files are stored in the /usr/local/bin directory
Modifying file Permissions
After ok, we will quickly use apkTool to experience. apktool d xxxx.apk
Apktool parsing apk
Apk will be resolved to a folder with the same name as APK, which will be in the current directory of your terminal. For example, the current directory in my image is in willy’s user directory, so the resolved folder is also in that directory.
Then go to the layout folder and find the testitem.xml which we have opened above.
testitem.xml
Others such as Androidmanifest.xml can also be viewed.
If a gentleman wishes to enligh10 a student buried in ignorance with knowledge, he must first arouse his attention so that it can absorb knowledge with a greedy mind —- Comenius
People tend to be greedy. You see the layout, you have the image resources and so on. You want to look at the source code, how the Java code is written. This is where another tool comes in, the second hero
2.dex2jar + jd-gui
Download dex2JAR and JD-GUI. This is baidu. You can download it. 1. Decompress the dex2jar file to a directory. Jd-gui is a DMG installation package. 2. Run the CD XXX/XXX /dex2jar command to go to the dex2jar folder 3. Run the sh d2j-dex2jar.sh -f -o classes.jar /XXX/XXX/ xxx. apk command to generate a classes.jar file in the dex2jar folder
4. Open the JD-GUI file and drag classes-dex2jar.jar to the JD-GUI interface to see the Java file
Java code
Decompiling role is not only to get the resources, see the code, you can also to replace the resources inside, and even modify code, to make changes in the business logic, such as a software can remove after charging software in advertising, if it is already paid business judgment on the front end, the user directly decompiled modify the judgment condition again, Once packed, it’s ready to use. Or it is to implant the virus, add their own advertising, using apktool for secondary packaging spread.
Apktool can not only decompile APK, but also repackage the decompressed resources into APK, and search for the specific repackage into APK. It's easy to find. I won't say more here.)
— — — — — — — — — — — — — — — — — — — — — — — — — — — I am apk protect you — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Ok, so that gives you some idea of how decompilation works. Let’s talk about how to make our Android source code not easy for others to see.
Proguard:
It was supposed to be a long introduction. Later I read about Proguard on other blogs. Found that other gods write good. I just went ahead and recommended it.
Click on portal: ProGuard to use ProGuard in detail
DexGuard
But if you need top-notch security, ProGuard can’t do it. You need DexGuard to click through the portal: DexGuard.
Extra processing
You need to know how to securely store the API keys in your app. If you’re going to work with users’ sensitive data, you need to know how to encrypt it and which encryption algorithm to choose (secure and fast).
You should also store the key securely locally or on a server. You should prevent app data from being backed up with ADB. If you store sensitive data in your database, consider masking it appropriately.
Attached are two article portals:
Android Security: Adding Tampering Detection to Your App
Hiding Secrets in Android Apps
Of course. This all just makes it harder for people who want to decompile your APK. They can still get all kinds of information about your APK in a variety of ways. We can only do as much as we can at this point.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — digression — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Ps: Off topic, how do you deal with big companies like Alipay and QQ
Cite the writings of other gods to illustrate. Click into the portal: Is this confusion in your eyes? ProGuard
Excerpts are as follows:
Will code that really needs security be compiled in Java?
The answer can be imagined, if you try to decompile wechat, Alipay code can see a large number of. So files, they are really valuable code is written in C, through JNI call, so not only safe and a set of code Android, iOS are available. That’s the safest thing to do!
Paste_Image.png