Mobile app development and IT services company RIIS has released a new security tool designed to prevent Android decompilation by hackers on mobile devices.
Dubbed HoseDex2Jar, the tool keeps hackers from using the Dex2Jar tool to decompile Android applications and access data. According to the company, Dex2Jar converts Android APKs into Java .jar files. With the tool, attackers can decompile the .jar file using JD-GUI or JAD into readable source code, revealing all proprietary source code and any information stored on backend databases.
“Developers can take steps such as using tools like ProGuard to obfuscate their code, but up until now, it has been impossible to prevent someone from decompiling an app,” said Godfrey Nolan, RIIS president. “We realized if there was a way to stop Dex2Jar, we would stop all Android decompilation. HoseDex2Jar does just that. It stops Dex2Jar by inserting harmless code in an Android APK that confuses and disables Dex2Jar and protects the code from decompilation.”
Earlier this year, Arxan Technologies issued a report that noted 92 percent of the Top 100 paid iOS applications and 100 percent of the Top 100 paid Google Android applications had hacked versions available in app markets. The report noted that Android Java apps in particular are trivial to decompile back to source code, and that native Android and iOS apps are relatively easy to reverse engineer as well.
“To crack an Android app, hackers can download the app on another machine (e.g., Mac) and run a tool (e.g., apktool) to unpackage the app and disassemble its Dalvik bytecode,” the report notes. Dalvik is the process virtual machine in Google Android’s operating system.
“They analyze the disassembled code or use tools (e.g., dex2jar and a Java decompiler) to decompile Dalvik bytecode to Java source code and analyze the source code,” the report continues. “They can make changes to disable license checks (or other modifications) and repackage the app and resign it.”
In a demonstration with SecurityWeek, Kevin McNamee of Kindsight Security Labs showed how a hacker could use the developer tool “apktool” to decompile the game Angry Birds. When finished, he could see the source code and directories. He then copied the malicious Java program into the “com” directory.
According to RIIS, the new tool represents a step forward in protecting applications from this kind of behavior.
“We’re now able to go a step beyond obfuscation and prevent hackers from decompiling an APK into readable java code,” Nolan said. “This is huge for companies with Android apps available on Google Play.”