Exception while decompiling apk

Question

I am trying to make a secured android app. I've enabled proguard in my app. But it doesnt hide any of the xml files or manifest while decompiling. It only changes the .java files.

I tried to decompile apk of another app from play store using apktool. Then I got the following exception

Exception in thread "main" brut.androlib.AndrolibException: brut.directory.Direc
toryException: java.util.zip.ZipException: error in opening zip file
        at brut.androlib.ApkDecoder.hasSources(ApkDecoder.java:199)
        at brut.androlib.ApkDecoder.decode(ApkDecoder.java:83)
        at brut.apktool.Main.cmdDecode(Main.java:146)
        at brut.apktool.Main.main(Main.java:77)
Caused by: brut.directory.DirectoryException: java.util.zip.ZipException: error
in opening zip file
        at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:55)
        at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:38)
        at brut.androlib.res.util.ExtFile.getDirectory(ExtFile.java:55)
        at brut.androlib.ApkDecoder.hasSources(ApkDecoder.java:197)
        ... 3 more
Caused by: java.util.zip.ZipException: error in opening zip file
        at java.util.zip.ZipFile.open(Native Method)
        at java.util.zip.ZipFile.<init>(Unknown Source)
        at java.util.zip.ZipFile.<init>(Unknown Source)
        at brut.directory.ZipRODirectory.<init>(ZipRODirectory.java:53)
        ... 6 more

Then the xml files and manifest were not revealed. I would also like to secure my app like this. How is this possible?

Answer 1

To answer your question, it is simply impossible to make your APK fully secure. XML files are easily parsed without apktool.

I asked Ben Gruver/JesusFreke (the guy who developed smali) and he said it is impossible to fully secure an APK file, but you can make it harder for others to decompile. As long as Android can read the resources/code in your project.. then so can tools.

The exception you are seeing while attempting to decompile Gmail is because apktool needs to be updated for Lollipop (which is actively being working on).

The answer by @classc_abc is the best I found for making it harder to decompile an APK. Unfortunately, it contained a spam link and it was removed, but I think the first 4 steps were at least useful.

Basically, there are 5 methods to protect your APK being cracking/ reversing/ repackaging:

1. Isolate Java Program

The easiest way is to make users unable to access to the Java Class program. This is the most fundamental way, and it has a variety of specific ways to achieve this. For example, developers can place the key Java Class on the server, clients acquire services by access relevant interfaces of the server rather than access to the Class file directly. So there is no way for hackers to decompile Class files. Currently, there are more and more standards and protocols services provided through interfaces, such as HTTP, Web Service, RPC, etc. But there are lots of applications are not suitable for this protection. For example, Java programs in stand-alone programs are unable to isolate.

2. Encrypt Class Files

To prevent Class files from being decompiled directly, many developers will encrypt some key Class files, such as registration number, serial number management and other related classes. Before using these encrypted classes, the program needs to decrypt these classes first, then loading these classes into JVM. These classes can be decrypted by hardware, or software.

Developers often loading cryptographic classes through a customed ClassLoader class (Applet does not support customed ClassLoader because of security). Customed ClassLoader will find cryptographic classes first, then decrypt them. And finally loading the decrypted classes to JVM. Customed ClassLoader is a very important class in this protect method. Because it itself is not encrypted, it may be the first target of a hacker. If the relevant decryption key and algorithm have been overcome, then the encrypted classes can easily be decrypted.

3. Convert to Native Codes

Convert program to native codes is also an effective way to prevent decompilation. Because native codes are often difficult to be decompiled. Developers can convert the entire application to native codes, or they can also convert only key modules. If just convert key part of the modules, it will need JNI technology to call when Java programs are using these modules. It abandoned Java's cross-platform feature when using this mothod to protect Java programs. For different platforms, we need to maintain different versions of the native codes, which will increase software support and maintenance workload. But for some key modules, sometimes this solution is often necessary. In order to guarantee these native codes will not be modified or replaced, developers often need to digitally sign these codes. Before using these native codes, developers often need to authenticate these local codes to ensure that these codes have not changed by hackers. If the signature check is passed, then developers can call relevant JNI methods.

4. Code Obfuscation

Code obfuscation is to re-organize and process Class file, making the treated codes accomplish the same function (semantics) with the untreated codes. But the obfuscated codes are difficult to be decompiled, i.e., the decompiled codes are very difficult to understand, therefore decompile staffs are hard to understand the really semantics. Theoretically, if hackers have enough time, obfuscated codes may still be cracked. Even some people are developing de-obfuscate tool. But from the actual situation, since the diversified development of obfuscation, the mature of obfuscation theory, obfuscated Java codes can well prevent decompilation.

[...]