Protect Android AAB Projects

Protect Android AAB Projects

Introduction

The Android App Bundle is latest format for Android application publishing which request by Google Play Store. Valid from August of 2021, All of Android developer who want to go to Google app store to publish Android application will submit their application with AAB format.

Here we introduce how to use Virbox Protector, a Secure and hardening tool, to protect AAB format application quickly.

Using Virbox Protector, developer will quickly complete the encryption/protection process to the AAB application without additional coding on local premise and no need to upload your application to cloud and no any leaky risk for your android application to upload to cloud.

Virbox Protector supports to protect/encrypt the AAB project both in GUI tool and CLI tool

​ With Virbox Protector, the Protected AAB will capable to defend the debugging/decompiling and to prevent IDA or other reverse engineering tool parsing to crack and get source code, With Signature verification, to prevent repackaging and protect critical code, IP be stealing or tampering.

Use Virbox Protector GUI tool to protect AAB project in 7 Steps

  1. Import the AAB project into Virbox Protector; Drag the AAB project into the Virbox Protector

  2. Set the configuration of "Protection Option"; (Protect the AAB in general)

  3. Set the configuration of "Function Option"; (Protect specified functions)

  4. Set the configuration of “Resource Encryption" (Protect the AAB resource & assets)

  5. Set the configuration of "Native library Protection" (Protect libs )

  6. Click to Start the "Protection" Process

  7. Backup the source file and use the protected project for further testing and save the "configuration" file which can be reused when you update AAB version later.

Prerequisites

Sign-up Virbox Protector and install the Virbox Protector;

Find Virbox Protector GUI tools in the \bin, the sub directory of the Virbox Protection installation directory: virboxprotector.exe and execute it.

Sign in with your account as shown as the snapshot bleow:

Above prerequisites is for test/evaluation Virbox Protector only.

To protect formal and commercial release software, pls purchase and get the related Virbox Protector license.

Protection Process

1. Import the AAB project into Virbox Protector;

Open Virbox Protector, Drag the AAB project into the Virbox Protector or:

Click the Menu-->File-->Open File which located in the Main menu of Virbox Protector, to select the project (AAB format) which you plan to protect;

2. Set the configuration of "Protection Option"; (Protect the AAB in general)

Go to "Protection Option" to set:

2.1 Output path and output file name, click box in right to change output path and name;

On default, the output protected AAB file will be located at new created sub director: \protected\same aab name which in same directory; click "..." to change.

The Configuration file will be generated also at same directory of source AAB file;

2.2 Set the protection option to Android APK in General to prevent debugging and decompiling

"Dex Encryption": Protect and encrypt the Dex file in general and hide the file to prevent decompiling;

Not recommend to select "Dex encryption" in case the AAB will be published in Google Play Store to avoid failed to pass Google check. and instead with use Virtualization to protect the functions contained in the Dex file.

"Anti-Debugging": with multiple detective technology to detect debugging, when the debugger use the IDA or other third party debug tools to debug the protected Apk/AAB projects, the protected APK/AAB will exit directly;

"File Check": to ensure the File integrity, Use hash to verify each files integrity contained in the AAB package and make sure not be tampered. more security option, recommend to click and select.

"Anti-Injection": with dual session ptrace technology, prevent the other session from add debugging or injection to APK session;

"Signature check" (Optional): Check/verify the developer signature to prevent repackaging and tampering; or you may use Google signature;

"Emulator Detection", to prevent the App/AAB running in the emulator environment'

"Root Detection" to prevent the App/AAB running in the rooted device;

"Multi-Parallel Detection" to prevent App/AAB running with multiple account;

Click and "Enable sign" to set/input keystore file, path and password. etc;

2.3 Sign setting and keystore path setting

If you want to publish your AAB package in the Google Play Store, do not click and set keystore file here, otherwise Google Play Store will also sign your AAB file later which it will cause your AAB package collapse

2.3.1 Click and "Enable Sign" and input keystore file, path and password. etc;

​ keystore file can be regenerated in case no keystore file available:

Use following command to generate new keystore file:

keytool -genkey -alias aliasname -keyalg RSA -validity 36500 -keystore filename

​ 2. Enable sign: a signature will be signed automatically after protection,

If not enabled sign, a signature need to sign after protection, or use Google signature later;

a signature command can be referred as followed (if you did not click "enable sign" and not use Google Play Store to publish your AAB Project, then refer following signing command:

jarsigner -digestalg SHA1 -sigalg SHA256withRSA -keystore keystore file -storepass "password" -keypass "aliasname password!" "the AAB package to be signed" "Aliasname"

3. Set the configuration of "Function Option"; (Protect specified functions)

Virbox Protector supports developer to protect specified "functions (Method)" in the DEX file with "DEX Virtualization" Protection.

"DEX Virtualization" means converts and transform the bytecode of DEX methods into the self defined Virtual machines instructions, which interpreted and executed by the Self defined Virtual machine. With the "DEX Virtualization", the bytecode of method can not be reversed and decompiled.

Go to "Function Option" tabs to set protection option to specified "functions"

add the these specified functions (methods) which need to be protected:

Click "Add Functions" to select and add the functions which need to be protected. Its recommend to protect those functions which is critical (to keep execution performance)

Select the protection mode to be the "Virtualization"

Virbox Protector provides “Virtualization" mode to protect the function contained in the DEX file. the mechanism is convert the Bytecode of Dex's Method to self defined VM instruction and executed. with "Virtualization" protection mode, it will enhance the security to protected AAB projects.

The on default protection mode for Virbox Protector will be "Virtualization", and select to protect the entry functions. but you need to select those critical functions by yourself.

4. Set the configuration of “Resource Encryption" (Protect the AAB resource and assets)

Virbox Protector support to protect the file, picture, configuration and script file which under \assets;

Before go to "Resource Encryption" to encrypt the resource and asset, please click "Save Selected Configuration" to save the configuration setting; then go to “Resource Encryption" and switch on the "Enable" button and select the assets and resource file to be protected or delete the file.

5. Set the configuration of "Native library Protection"

Virbox Protector support to encrypt/protect .so libs, include to "Encryption", "Compression" the code section of the .so libs, hide the import/export functions etc.

For the Developer who use .so libs to keep critical functions, algorithms, Virbox Protector provides additional license to protect (Virtualization) the functions, algorithm contained in the .so libs. pls refer relevant sections.

Go to "Native libs"

Click to select the files (libs) to be protected;

Click to select to hide Symbol Table (Optional)

6. Click to Start the "Protection" Process

Click "Save Selected Configurations" to save the configuration files. or Click "Save all configuration" if you have set multiple projects; after saved, you will find a new "ssp" configuration file generated, in below example, the "app-release.aab.ssp" has been generated in the output directory.

Click "Protect Selected Project" to start the protection process, a new protected project will be generated. in below example. the protected AAB project located new sub directory:\protected\app-release.aab.

7. Backup the source project. use the protected AAB file to further testing and save the "configuration" file.

Signature Option: it is not recommend to select this option for AAB project Publish in Google Play Store.

When you finalize all of evaluation and testing to the protected AAB project. next step is publish your AAB project in Google Play Store.

When we set the "Protection Option", we have recommend if you want to publish your AAB project in Google Play Store, then use Google's signature and DO NOT to use Virbox Protector signature option to avoid the signature conflict and crash in execution. so, when you set up in your Google account. you need to select "Let Google manage and protect your app signing key"

Rest of setting for publish in Google play store, just follow up Google instruction. for more detail, you may refer Google official instruction

Do not publish your AAB package protected by Virbox Protector trial license. pls use formal release license to protect your AAB package and publish in the Google Play Store

Use Virbox Protector CLI tool to protect AAB project

Similar to protect other applications, Developer will have 2 options to protect AAB package.

Option 1:

Use Virbox Protector GUI tool to protect and generate the "Configuration" file which to save the "Protection Option" setting. by Click "Save Selected Configuration"

Save the "configuration" file with the same folder of your AAB package, use Virbox Protector CLI tool to protect your AAB package.

virboxprotector_con <file_path> <options ...> -o <output_path>

Option 2:

Use Virbox Protector CLI to protect AAB package directly, with option and argument which specify the protection options.

developer use "Long command line:" to specified protection options:

Long Command Line syntax

Virboxprotector_con --{opt}=value

value =1 means "Switch on", Value=0 means "Switch off"

For example

--mem-check=1, --jit-enc=0

Long Command Line setting: Protection Option setting

Protection Option Setting
Command line option
On default value

DEX Encryption

--dex-enc=

apk:1, AAB:0

File Check

--file-check=

1

Enable sign

--sign-check=

0

Anti Injection

--anti-inject=

1

Debugger detection

--detect-dbg=

0

Emulator detection

--detect-emu=

0

Root Detection

--detect-root=

0

Multi parallel detection

--detect-multi=

0

Output apk (valid when AAB signing enabled

--apks=<apks_path>

N/A

Use --help=apk to view help:

Last updated