0

DexGuard

Introduction

The most advanced mobile app security software for Android?

As of 2017 there more than 1.6 billion devices running the Android OS.This is way more than Ios. Of the 432 million smartphones sold in the last quarter, 352 million ran Android (81.7 percent) and 77 million ran iOS (17.9 percent), but what happened to the other players? Well, in the same quarter, Windows Phone managed to round up 0.3 percent of the market, while BlackBerry was reduced to a rounding error. The once-great firm sold just over 200,000 units, amounting to 0.0 percent market share. So what is the purpose of this statistics? Because Android is more used worldwide it also makes the OS the number one target to hackers and other security risks. A lot of free hacking tools exist that let anyone easily reverse engineer or even trojanize an Android app. There are a number of possible vulnerabilities for unprotected mobile applications, such as insertion of malware, intellectual property theft, piracy and data theft.

DexGuard to the rescue

DexGuard provides advanced security features tailor-made for the Android operating system. It offers protection against static analysis (code hardening). DexGuard can secures the Android APK/SDK against piracy, cloning, tampering and key extraction by encryption techniques and applying multiple obfuscation. DexGuard also secures the APK against runtime behaviour by running enviroment and certificate checks offers protection against runtime application self-protection or RASP. All this provides best protection for Android apps in sectors proned to outside attacks such as banking apps, e-commerce and so on.

Features of DexGuard

  • Code hardening

This is a feature whereby the system is secured by reducing its surface of vulnerability, which is larger when a system performs more functions. This prevents hackers from finding and exploiting vulnerabilities in the application’s code while it is not running. DesGuard some features to tackle this vulverability:

  1. Obfuscation of arithmetic instructions, control flow, native code and library names, resources and SDK method calls
  2. Encryption of classes, Cordova/Phonegap applications, strings, assets, resource files, native libraries and custom WebViews
  • Runtime Application Self-Protection (RASP) Runtime application self-protection (RASP) is a security technology that is built into an application and can detect and then prevent real-time application attacks. RASP prevents attacks by “self-protecting” or reconfiguring automatically without human intervention in response to certain conditions (threats, faults, etc.). DesGuard provides component for protecting your Android application and securing it against real-time attacks. This prevents hackers from gathering knowledge of the application’s behaviour and modifying it at runtime. This is archieved by:
  1. Detection of debugging tools, emulators, rooted devices, root cloaking frameworks and tampering
  2. SSL pinning and Webview SSL pinning
  3. Certificate checks
  • Code optimization Securing your Android application does not necessarily mean it will run slower. Code optimization techniques ensure that the application retains its speed. DexGuard offers:
  1. Removal of redundant code, logging code and metadata, unused resources and native libraries
  2. Automatic splitting of Dex files that exceed the size constraints imposed by the Dex format
  3. Resource and code optimization

Adding DexGuard to Android project

The first thing to do is tell gradle that we want to use proguard for our release buildType.

android {
  buildTypes {
    release {
      minifyEnabled true
    }
  }
}

You can run proguard now without any further configuration but lets tell proguard a little more about what we want. Proguard gets its configuration from a file in the project called proguard-rules.pro. Lets modify it to tell proguard we want to keep the line numbers in our stacktraces. Modify the contents to looks like this:

-keepattributes SourceFile,LineNumberTable Now we are ready to build the sample project and see it run. Futhermore the proguard-rules.pro can be futherly configured to specifiaclly skip some file becasue it may occur when proguard might rename some methods name hereby causing some problems because it doesn’t know about any reflection you are doing in the code. In this scenario, the -keep class is called -keep class com.github.browep.MainActivity

If you're constructing a build process from scratch: these options shrink, optimize, and obfuscate all public activities, services, broadcast receivers and content providers from the compiled classes and external libraries:

-injars      bin/classes 
-injars      libs 
-outjars     bin/classes-processed.jar 
-libraryjars /usr/local/java/android-sdk/platforms/android-9/android.jar 

-dontpreverify 
-repackageclasses '' 
-allowaccessmodification 
-optimizations !code/simplification/arithmetic 
-keepattributes *Annotation* 

-keep public class * extends android.app.Activity 
-keep public class * extends android.app.Application 
-keep public class * extends android.app.Service 
-keep public class * extends android.content.BroadcastReceiver 
-keep public class * extends android.content.ContentProvider
 
-keep public class * extends android.view.View { 
      public <init>(android.content.Context); 
      public <init>(android.content.Context, android.util.AttributeSet); 
      public <init>(android.content.Context, android.util.AttributeSet, int); 
      public void set*(...); 
} 

-keepclasseswithmembers class * { 
    public <init>(android.content.Context, android.util.AttributeSet); 
} 

-keepclasseswithmembers class * { 
    public <init>(android.content.Context, android.util.AttributeSet, int); 
} 

-keepclassmembers class * extends android.content.Context { 
    public void *(android.view.View); 
    public void *(android.view.MenuItem); 
} 

-keepclassmembers class * implements android.os.Parcelable { 
    static ** CREATOR; 
} 

-keepclassmembers class **.R$* { 
    public static <fields>; 
} 

-keepclassmembers class * { 
    @android.webkit.JavascriptInterface <methods>; 
} 

The above notations will tell ProGuard to keep all fundamental classes that may be referenced by the AndroidManifest.xml , annotations, any custom View extensions and other classes with typical constructors, since they might be referenced from XML layout files, onClick handlers in custom Context extensions, Parcelable implementations and so on as they are exential and will save us future headaches. NOTE If you're using additional Google APIs, you'll have to specify those as well, for instance: -libraryjars /usr/local/android-sdk/add-ons/google_apis-7_r01/libs/maps.jar If you're using Google's optional License Verification Library, you can obfuscate its code along with your own code. You do have to preserve its ILicensingService interface for the library to work: -keep public interface com.android.vending.licensing.ILicensingService

For futher documentation please refer the oficial document page for ProGuard here


All Rights Reserved

Viblo
Let's register a Viblo Account to get more interesting posts.