How to prevent hackers from reverse engineering your Android apps
Security and privacy are the two most talked about topics these days. Like any piece of code, Android apps can also be targeted and your user’s data can be put at risk then of course there is always a risk of your app being reverse engineered. So, how can you as an Android developer prevent your app from being reverse engineered and secure your user’s data on the client-side? Well, that’s exactly what we will find out today.
Tamper Detection
The most secure way to detect if your app has been altered is by making sure the signature used to sign the app is the same one used by you. You can do this by using a simple small library I wrote a while back. It’s super easy to integrate.
In most cases, the only way to get access to your app would be through PlayStore. Which mean we could just check the installation source and block the app from functioning if the app is not installed via PlayStore. This again can be done with the library I have shared above. For instance if you want to detect if a debugger has been attached to your app you can do something like:
To verify whether your app is downloaded from the right source you can do this:
Lastly to verify if your app has been modded or not you can check the signature of your app like this:
SafetyNet
SafetyNet from Google is a tool that helps developers by detecting if the app is running on a rooted device and checking if the user is trying to modify critical files created by your app to intercept critical information. The integration of SafetyNet and how to use it is a long topic that could be a post in itself which I might publish later sometime.
ProGuard
Always make sure you have enabled ProGuard on your apps. ProGuard obfuscates your code making it difficult for hackers trying to break your app. You can do this by simply enabling the following options in your app/build.gradle file.
The only thing you need to be careful about is the rules you mention in the proguard-rules.pro file.
Securing User Credentials.
DO NOT I repeat DO NOT ever store sensitive information on the client-side. Always use something like DataStore to securely store information on the client end. Never store Username/Passwords on the client device. API Keys, AccessTokens and other sensitive information should never be stored in their raw values. Always encrypt the information. Yes, it would make it a tiny bit slow but makes your user details so much more secure.
Database Encryption
Lastly, a lot of folks just skip encrypting the data stored in the database because they feel it’s too much hassle. It’s not. Most databases nowadays provide ways to encrypt the data in the database without having to worry about encrypting and decrypting the data. SQLCipher an SQLite Extension which offers AES256 encryption has gained a lot of attraction. Realm has its encryption system in place as well.
PS.
There is no full-proof secure way to protect your apps from being hacked. If the hacker is persistent they will find some way to break your app. These are just a few tips to make it difficult for hackers. Also if you have some more methods please feel free to drop a comment or reach out to me on LinkedIn or Twitter.
