Android: .java files readable from .apk file?_问答_开发者

Android: .java files readable from .apk file?

开发者 https://www.devze.com 2023-02-07 23:59 出处：网络

I\'m currently developing an application for a company which includes livescoring. The XML-files I access (from the net like: \"http://company.com/files/xml/livescoring.xml\") are not intended to be p

相关专题：android apk

I'm currently developing an application for a company which includes livescoring. The XML-files I access (from the net like: "http://company.com/files/xml/livescoring.xml") are not intended to be public and should only known to me.

I was wondering if it is possible for anyone to decode the .apk file and read my original .java files (which include the link to the XML files).

So, I renamed the .apk file to .zip and could access the "classes.dex", which seemed to include the .java files (or classes). Googling led me to a tool named "AvaBoxV2" which decoded this "classes.dex" file. Now I have a folder including an "out" folder where files named .smali exist. I opend one of these with an editor and finally there is the link to 开发者_高级运维the xml file. Not good. :(

Is there a way to encrypt my app or the classes.dex file? I don't want to tell that company, that anyone can access the original xml-files. Maybe signing the app probably helps?

Also, do you know a really noob-friendly tutorial to prepare apps (signing, versioning,...) for Google Market?

Thanks in advance!

The .java source code is not included in the APK.

It is possible to disassemble the Dalvik bytecode into bytecode mnemonics using a tool like baksmali, but there's no way a user can recover the original .java source.

Furthermore, you can use a tool like proguard (included in the Android SDK) to obfuscate your byte code, making it hard to interpret the behavior of the disassembled bytecode.

You can make small tricks too, like storing the link string in some sort of obfuscated form, and then de-obfuscating it at run-time in your app (a simple example would be to use base 64 encoding, but someone could probably reverse that quickly if they wanted to).

That said, it's pretty trivial for someone to run tcpdump and sniff the network traffic between your device and the server, and get the URL that way, so there's no way to completely prevent anyone from getting this value.

Yeah, its impossible to fully prevent something like this. Its the same on a desktop application, or any other application.

As mentioned, obfuscation will help, but people who are persistent can still get past it. Especially for something like a url like that.

One solution of making it much more tricky for hackers is to use PHP on your webserver and some sort of token system to determine if the request is coming from your app or not... That would get a bit tricky though, so I don't really suggest it.