Android APP reverse debugging and code protection some basic solutions

Now created an Android development water friends circle, the circle will not regularly update some Android advanced advanced information, welcome everyone with technical problems to discuss, grow together! (Including senior UI engineer, Android underlying development engineer, Android architect, native performance optimization and hybrid optimization, flutter expertise); The hope has the technology big guy to join, the water circle inside solves the problem more obtains the right bigger!

Android has developed rapidly since its inception. Major mobile phone manufacturers have invested in the development, design and development of their own Android system. Since 2016, Android has surpassed ios and become the most influential operating system in the world. There are many reverse methods and reverse tools for Android apps, so reverse debugging plays an important role in Android code protection. This article introduces some methods of Android anti-debugging from four aspects.

Ps: Reverse debugging can not completely prevent reverse behavior, but in the long-term attack and defense war to crack personnel to constantly increase the reverse difficulty.

Shrink, Optimize, Obfuscate, and Veirfy Java code with Android Studio’s ProGuard tool.

Shrink: To remove unnecessary classes, function methods, and fields from code.

Optimize: The Android executable dex is optimized to remove useless instructions.

Obfuscate: Rename code class, function, or variable names using meaningless fields, such as a, B, or C.

Veirfy: Review obfuscated code.

After Proguard, the code program can still be reorganized and processed, and the program logic after processing is exactly the same as before, while the confused code is still difficult to read even after decompilation. At the same time, in the process of confusion, some information that does not affect the normal operation will be permanently lost, which makes the program more difficult to understand.

Proguard also controls obfuscation of a class and of some function methods of a class.

Here’s a before and after comparison:

Confusion before:

After the confusion:

(2) isDebuggerConnected

The Android Debug class provides the isDebuggerConnected function, which is modeled as follows:

The implementation of isDebuggerConnected in VMDebug is in the NDK program.

The isDebuggerConnected function is used to check if a debugger is currently mounted to the program, and if true is returned, it is being debugged. The usage is simple, as follows:

Add the Android :debuggable=”false” attribute under the Application node of the Android manifest file, so that the program can not be debugged. The value of this property can also be detected in Java program code as follows:

The NDK:

Linux kernel ptrace

Ptrace allows process A to control process B, and process A can check and modify process B’s memory and registers. However, a process can only be debugged by one process. Therefore, according to this feature, you can make the process ptrace itself and set the incoming request to PTRACE_TRACEME. After the program is debugged by itself, other debugging operations will fail. (2) File node detection

Once the program is debugged, Linux writes data to the process node. For example, TracePid in /proc/ /status writes to the debugger process PID. If TracePid is not 0, the process is debugged.

The /proc/net/tcp file on Linux will record the local port number of the running process. IDA’s default port number is 23946, which can be detected by reading /proc/net/tcp. If found, the process is being debugged.

Inotify for Linux is used to detect file system changes. It can detect either a single file or an entire directory.

One of the most common things to do in reverse is to dump memory, using the dd command (or gcore if using GDB) to dump the contents of /proc/ /mem or /proc/ /mpas or /proc/ /pagemap.

Here, you can use the Inotify API to monitor these three files, and if you find open, read or write operations, there is a high probability that the process is being cracked.

So file is loaded by JNI_Onload, so file function instruction is fixed, if the debugger is mounted, after the breakpoint is set, the instruction will change (breakpoint address will be changed to BKPT instruction), calculate the hash value of so loaded in memory, Check whether the function is modified or broken to determine whether the debugging state.

A trick method, under normal circumstances, a program in the time difference between the two codes is very short, and for the debugging program, the time difference between the two codes in single-step debugging will be relatively large, detection of the time difference between the two codes, can be a large probability to judge whether the program is debugged.

Android resource files are often maliciously tampered and implanted with various advertisements and plug-ins, which seriously affects the ecological balance of Android APP.

Android SDK has apK signature detection method, Framework PackageManager class provides getPackageInfo() function, function prototype:

When GET_SIGNATURES is passed in as the second parameter, the signature field of the object is returned as the signature information, and the hash value is calculated and compared. There are two practical solutions available:

(1) Verify in the local Java code. If inconsistent, the application will be forcibly withdrawn;

(2) Send the signature information to the server background. The server background records the correct signature information. If the comparison is inconsistent, an error is returned to the error.

These are some basic strategies for anti-debugging and code protection of Android Apps.

Link: pan.baidu.com/s/1W-rLvck9… Extraction code: HQGL