Android Question Why B4A Decompiled?

Hamied Abou Hulaikah

Well-Known Member
Licensed User
Longtime User
Hi All,
My B4A generated apk source code "java code" is decompiled easly using any decompile tool, while my C# xamarin generated apk can't be decompiled using the same decompile tool !!!
Any suggestion or explanation to protect our B4A projects more ...
 

Hamied Abou Hulaikah

Well-Known Member
Licensed User
Longtime User
Good for variables.
What about project workflow , directions , diagram, functions, events, structure, etc ....
How can we obfuscate them?
 
Upvote 0

Informatix

Expert
Licensed User
Longtime User
Good for variables.
What about project workflow , directions , diagram, functions, events, structure, etc ....
How can we obfuscate them?
Obfuscation is not something that really protects your code. It's something that slows down the understanding of your code. That's all.
I don't think that it exists a good method to protect your code against decompilation (except writing everything in a C library and calling the C lib with a single java call). There are tricks to defeat some decompilers (usually the most used ones), but decompilation is not mandatory to understand what your app does or to crack it (cracking is not done in the Java code, but in the smali code).

Out of curiosity, could you send me a little APK created with Xamarin (e.g. a Hello world app)?
 
Upvote 0

gkoehn

Member
Licensed User
I am not an expert, but some compilers are harder to decompile than others.
Delphi Mobile compiles to Native Code. I think it is harder to decompile.
I have no experience in trying to crack a Delphi Mobile app.
Same would be for Google's NDK. It would compile to Native, so harder to decompile.
You experts on the topic, feel free to correct me!

I like how small you can make a Java/B4A apk, but is there more info on protecting your stuff?
I know of Informatix solution, but is there some books, docs, etc. on "pattern and practices" to protect java mobile apps?
 
Upvote 0

Informatix

Expert
Licensed User
Longtime User
General Question: Is there a programming language can't be decompiled even 1% ?
When I was young, I was able to crack most games that I could find and I did it directly in the assembly code. I did not need a decompiler. I used only a debugger/disassembler (e.g. SoftICE or IDA Pro). Android crackers nowadays do not need to decompile the code. So your main concern should not be: is someone able to read my code? But: if someone read my code (decompiled or just disassembled), does my code contain sensitive data (e.g. a password) and, if my code has some protection, is the cracker able to bypass easily this protection?
 
Upvote 0

Informatix

Expert
Licensed User
Longtime User
I am not an expert, but some compilers are harder to decompile than others.
Delphi Mobile compiles to Native Code. I think it is harder to decompile.
I have no experience in trying to crack a Delphi Mobile app.
Same would be for Google's NDK. It would compile to Native, so harder to decompile.
You experts on the topic, feel free to correct me!
I don't know Delphi mobile, but if you create a .so library, written in C/C++ with the NDK, the result is indeed difficult to decompile properly. However if you store a password in plain text in your C code, anyone will be able to read it with a simple hex viewer in the compiled library. So the language itself is not enough.

I like how small you can make a Java/B4A apk, but is there more info on protecting your stuff?
I know of Informatix solution, but is there some books, docs, etc. on "pattern and practices" to protect java mobile apps?
I looked at a few books on the subject, but I found nothing really serious. There are websites devoted to cracking that are really interesting and informative but I don't want to promote them so I let you search on Google.
 
Upvote 0

gkoehn

Member
Licensed User
I don't know Delphi mobile, but if you create a .so library, written in C/C++ with the NDK, the result is indeed difficult to decompile properly. However if you store a password in plain text in your C code, anyone will be able to read it with a simple hex viewer in the compiled library. So the language itself is not enough.


I looked at a few books on the subject, but I found nothing really serious. There are websites devoted to cracking that are really interesting and informative but I don't want to promote them so I let you search on Google.

Yes! Fully agree with you!

Another Question...
How do you persist client side session state securely?
Let's suppose I am hitting a Restfull API.
I use OAUTH.
How do I securely save the Token on the client device? (Maybe there is not a security Risk here...)
How do Banking Apps do it securily? (Or do they?)

Do you discuss this in your ProBundle?
 
Upvote 0
Top