Inside Dvm basics
Download as PPTX, PDF0 likes880 views
Java code is partially compiled and contains symbolic information, making it vulnerable to decompilation. Android apps (APKs) are also vulnerable as they can be easily accessed, converted to Java code, and decompiled with one-click tools. When decompiling, developers should avoid passing off recompiled code as their own, selling it, or removing protections. The best protections are using server-side code and hiding keys, native code compiled to be hard to decompile, and encryption. No single method provides perfect protection against decompilation.
Inside Dvm basics
- 1. Inside DVM Basics Nick Bova @mykola_bova Nov 14 2013
- 2. Why Java is vulnerable? 1. For portability, Java code is partially compiled and then interpreted by the JVM. 2. Java’s compiled classes contain a lot of symbolic information for the JVM. 3. The JVM is a simple stack machine. 4. Standard applications have no real protection against decompilation.
- 3. Why Android apps are vulnerable? 1. There are multiple easy ways to gain access to Android APKs. 2. It’s simple to translate an APK to a Java jar file for subsequent decompilation. 3. One-click decompilation is possible, using tools such as apktool. 4. APKs are shared on hacker forums.
- 4. Legal Issues to Consider When Decompiling Цель оправдывает средства?
- 5. Legal Issues to Consider When Decompiling 1. Don’t decompile an APK, recompile it, and then pass it off as your own. 2. Don’t even think of trying to sell a recompiled APK to any third parties. 3. Try not to decompile an APK or application that comes with a license agreement that expressly forbids decompiling or reverse-engineering the code. 4. Don’t decompile an APK to remove any protection mechanisms and then recompile it for your own personal use..
- 6. Protecting Yourself (Protection schemes) Protection schemes in your code: Spreading protection schemes throughout your code (such as checking whether the phone is rooted) is useless because the schemes can be commented out of the decompiled code.
- 7. Protecting Yourself (Obfuscation) Obfuscation: Obfuscation replaces the method names and variable names in a class file with weird and wonderful names. This can be an excellent deterrent, but the source code is often still visible, depending on your choice of obfuscator.
- 8. Protecting Yourself (Server-side code) Server-side code: The safest protection for APKs is to hide all the interesting code on the web server and only use the APK as a thin front-end GUI. This has the downside that you may still need to hide an API key somewhere to gain access to the web server
- 9. Protecting Yourself (Native code) Native code: The Android Native Development Kit (NDK) allows you to hide password information in C++ files that can be disassembled but not decompiled and that still run on top of the DVM. Done correctly, this technique can add a significant layer of protection.
- 10. Protecting Yourself (Encryption) Encryption can also be used in conjunction with the NDK to provide an additional layer of protection from disassembly, or as a way of passing public and private key information to any backend web server.