Android Tutorial Protect your application against copy and changes

This method uses the F5Steg and PackageUtils libraries from ProBundle.

There's a demo available in the Play Store: https://play.google.com/store/apps/details?id=b4a.protecthw.flm
The source code is attached to this message and is used as a reference in the following explanations. It will not work after compilation on your computer because some of the assets are protected. Only the creator of these resources (me) can compile a working version.

Protection against copy:
If you look at the source code, you can see that the copy protection is quite simple since it is all in these three lines:
B4X:
If PU.GetInstallerPackageName(PU.GetMyPackageName) = Null Or PU.GetInstallerPackageName(PU.GetMyPackageName) <> "com.android.vending" Then
   ExitApplication
End If
If the installation source is not the Play Store ("com.android.vending"), the program ends.
This protection would be very weak if a malicious person could remove these lines with a tool like apktool, so the APK must also be protected against modification.

Protection against changes:
To protect the APK against modification, I use the F5Steg library. It can encrypt data inside an image using the APK signature. No password is required from the user. The encryption password is automatically created by the library's C code from the signature (and I won't explain how, of course, because otherwise it would be a piece of cake to circumvent this protection). If someone modifies the program, he has to reassemble it and sign it with his own key. This will change the signature and therefore F5Steg will not be able to decrypt the image correctly.

In the demo, the image containing the encrypted data is "logo.jpg". In this image, I encoded a list with two entries: a password (which is used to decompress the "value.zip" archive) and a Map which contains three data (an integer, a floating number and the name of the image with my picture). Without these data, the application cannot calculate anything correctly when the user clicks the Test button.

If you use this method to protect your application, a small donation (by clicking on the Donate button in my signature) will be greatly appreciated.
 

Attachments

  • Challenge.zip
    71.3 KB · Views: 952

Spright

Active Member
from what I understnad It encodes the APK so it's not stenography. You can always do your best and hide it. Im not that used to de-assemble Android binaries but this should be a good start I would be most worried about hiding the API call.
 

Informatix

Expert
Licensed User
Longtime User
Maybe I haven't read this properly but what is to stop an experienced reverse engineer from swapping the ExitApplication logic?
Nothing. But he won't be able to use the program afterwards since the data cannot be retrieved from the image any longer. Clicking on the Test button in the demo app will fail. So what's the point of removing ExitApplication if that leads to lose data ?
 

CyberDroidWare

Member
Licensed User
Nothing. But he won't be able to use the program afterwards since the data cannot be retrieved from the image any longer. Clicking on the Test button in the demo app will fail. So what's the point of removing ExitApplication if that leads to lose data ?
Thank you. So essentially what you're saying is that the picture is encrypted with the device/app store key prior to download?
 
Top