Reverse Engineering Mitigation in Android Apps

Publication date:
Last update: 2021-07-07


It is not possible to prevent a mobile application from being decompiled to expose it's design logic and internals. The reverse engineering purpose can be the illegal use of the application (computer hacking), the exploitation of its vulnerabilities, among other harmful effects for the developer and legal users. There are some protection methods, which encrypt the application code. However, the code is eventually decrypted by the application itself. That's necessary to let the Dalvik Android virtual machine execute the code. That's why this article is about mitigation, not prevention. Android app developers, especially commercial app developers, can make sure the reverse engineering of their products is complex and time consuming. In this way it is possible to defer and minimize the impact. For example, if it were necessary to invest several weeks of workload to break the copy protection of a video game, a new version of the game could be ready before the previous one is hacked.

Android reverse engineering


Don't trust generic solutions

A common mistake is to assume that commercial DRM or similar solutions are more effective than developing your own anti-copy protection. Actually the use of commercial libraries can simplify the hacking. As soon as the library is identified, a simple search in the underground forums will reveal the exact steps to deactivate this protection. On the other hand, creating your own anti-copy system can make this process much more complex. Some software companies hire ethical hackers to create their own advanced protection systems. For example, in the 2000's the Canadian company SSG had hired the ethical hacker Kris Kaspersky to implement a CD anti-copy solution.

Even without the knowledge of the most expert hackers, it is possible to implement effective anti-piracy mechanisms. Let's share some recommendations, which have worked well in various real life projects.


The decoy strategy

A good tactic is to make the reverser believe that the algorithm is simple. For example:

      "Registration error", 0).show();
   // ...

A simple modification of this code would be enough to make a pirated copy function as a registered one. That's what the reverser should believe. Ideally, the application should really work correctly for some time. For example, the video game company Aterdux had released a game using the same decoy tactic. The pirates managed to "break" it quickly, but the pirated version worked only up to a certain point in the game's campaign. Another authenticity validation check was carried out later on. Therefore, what the pirates really did was distributing a "demo" version of the game.

The decoy strategy, if used wisely, can produce a great frustration in the illegal users.


Externalize the functionality of the app

This means hosting part or all of the functionality outside of the app. The concept is not new. For example, in the 90's the Rainbow Tech company began to write functional blocks of code into external devices called dongles, connected to the PC printer port. Currently the same principle applies to security devices called tokens. In a mobile phone, the SIM-card can act as a token. It is very difficult to replicate the information stored in a security device. Some providers like Ubirch implement blockchain algorithms using the SIM-card. This technology was developed to ensure authenticity (e.g., registration of a user on the cellular network, ownership of a bank account, telemetry, etc.) The same principle can be used to protect the app's license.

However, it may be simpler and more effective to externalize part or all of the app's functionality to the cloud. The app could be a simple user interface to access a service running on the Internet.

This strategy is widely used by the software development companies. It can be said that banking apps work in the same way because the transactions are processed online.

It's not always possible to access the Internet for authenticity verification. For example, Internet access may be limited or too expensive on board of an airplane, among other means of transportation. Another important detail to remember is that a cloud failure can affect all your legal users.


Minimize the impact

Android anti-piracyIf the app is updated frequently and its cost is low, this app would be less attractive to the pirates. However, even free apps are distributed illegally. The pirates can inject different kinds of malware into the app to steal the users' personal information, passwords, etc.

It is recommended to educate the users, explaining the risks of installing apps from unofficial sources.