Protect Android APK Projects
Quick Start Guide:
Protect Android APK Projects
Introduction
Virbox Protector support developer to protect the Android Apk project to prevent the reverse engineering , decompiling, repackaging and tampering by third party attack. Developer may use Virbox Protector to protect/encrypt the apk and relevant elf, functions, resource and .so libs accordingly.
Here we introduce how to use Virbox Protector, a Secure and hardening tool, to protect Apk format application quickly.
Using Virbox Protector, developer will quickly complete the encryption/protection process to the Apk application without additional coding on local premise and no need to upload your application to cloud and no any leaky risk for your android application for uploading.
Virbox Protector supports to protect/encrypt the Apk project both in GUI tool and CLI tool
With Virbox Protector, the Protected APK will capable to defend debugging/decompiling and to prevent IDA or other reverse engineering tool from parsing to crack your APK project and get source code, With Signature verification, to prevent repackaging and protect critical code, IP be stealing or tampering.
Protect APK project in 7 Steps
Import the Apk project into Virbox Protector; Drag the Apk project into the Virbox Protector
Set the configuration of "Protection Option"; (Protect the APK in general)
Set the configuration of "Function Option"; (Protect specified functions)
Set the configuration of “Resource Encryption" (Protect the APK resource & assets)
Set the configuration of "Native library Protection" (Protect .so libs )
Click to Start the "Protection" Process
Backup the source file. use the protected project for further security testing and save the "configuration" file.
Prerequisites
Sign-up Virbox Protector and install the Virbox Protector;
Open Virbox Protector and sign in with your account;
To protect formal and commercial release software, pls purchase and get the related Virbox Protector license.
Protection Process (Virbox Protector GUI tool)
1. Import the APK project into Virbox Protector;
Open Virbox Protector, Drag your Android APK project into the Virbox Protector or:
Click the Menu-->File-->Open File which located in the Main menu of Virbox Protector, to select the project (APK format) which you plan to protect;
2. Set the configuration of "Protection Option"; (Protect the APK project in general)
Go to "Protection Option" to set:
2.1 Output path and output file name, click box in right to change output path and name;
on default output AAB located:\protected\same name of source apk, a new sub directory generated in same directory; click "..." to change the output path.
and a configuration file will be generated in the output path(directory) with .ssp suffix. this configuration file save and stored all of protection option you set, which can be used for next version updated.
2.2 Set the protection option to Android APK in General to prevent debugging and decompiling
"Dex Encryption": Protect and encrypt the Dex file in general and hide the file to prevent decompiling;
Not recommend to select "Dex encryption" in case the APK project will be published in Google Play Store to avoid failed to pass Google check. and instead with use Virtualization to protect the functions contained in the Dex file (Setting in the "Function Option")
"Anti-Debugging": with multiple detective technology, when the debugger use the IDA or other third party debug tools to debug the protected Apk/AAB projects, the protected APK/AAB will exit directly;
"Signature check" (Optional): Check/verify the developer signature to prevent repackaging and tampering; or use Google signature.
"File Check": to ensure the File integrity, Use hash to verify each files integrity contained in the AAB package and make sure not be tampered. more security option, recommend to click and select.
"Anti-Injection": with dual session ptrace technology, prevent the other session to add debugging or injection to APK session;
"Emulator Detection", to prevent the App/AAB running in the emulator environment'
"Root Detection" to prevent the App/AAB running in the rooted device;
"Multi-Parallel Detection" to prevent App/AAB running with multiple account;
Click and "Enable sign" to set/input keystore file, path and password. etc;
2.3 Sign setting and keystore path setting
Click and "Enable Sign" to set/input keystore file, path and password. etc;
if you didn't click "Enable sign" the protected apk need to be signed manually.
2.3.1 keystore file can be generated in case no keystore file available:
Use following command to generate new keystore file:
keytool -genkey -alias aliasname -keyalg RSA -validity 36500 -keystore filename
.
2.3.2. Enable sign:
Select to sign a signature after protection, or:
not select and use Google signature to instead later.
3. Set the configuration of "Function Option"; (Protect specified function)
Virbox Protector supports Developer to protect to specified functions (methods) in dex file with "DEX Virtualization" Protection.
"DEX Virtualization" means converts and transform the bytecode of DEX methods into the self defined Virtual machines instructions, which interpreted and executed by the Self defined Virtual machine. With the "DEX Virtualization", the bytecode of method can not be reversed and decompiled.
Go to "Function Option" to set protection option to the critical and specified "functions" which need to be protected.
Add the the functions which need to be protected:
Click "Add Functions" to select and add the functions which need to be protected. Its recommend to protect those functions which is critical only and not select all of functions to protect (to keep execution performance).
Select the protection mode to be the "Virtualization"
Virbox Protector provides “Virtualization" mode to protect the functions contained in the DEX file. the mechanism is convert the Bytecode of Dex's Method to self-defined VM instruction and executed. with "Virtualization" protection mode, it will enhance the security dramatically to protected APK projects.
The on-default protection mode for Virbox Protector will be "Virtualization", and to protect the entry functions on default. for other functions, you need to select those critical functions by yourself.
Save your configuration: Before to set the "Resource Encryption", pls save your “configuration" by click the button "Save Selected Configuration" which on the GUI menu.
4. Set the configuration of “Resource Encryption" (Protect the APK resource and assets)
Virbox Protector support to protect the file, picture, configuration and script file which under \assets
;
Before goto "Resource Encryption" to encrypt the resource and asset, please click "Save Selected Configuration" to save the configuration setting; then go to “Resource Encryption" and switch on the "Enable" button and select the assets and resource file to be protected or delete the file.
5. Set the configuration of "Native library Protection"
Virbox Protector support to encrypt/protect .so libs, include to encrypt, compression the code section of the .so libs, hide the import/export functions etc.
For the Developer who use .so libs to keep critical functions, algorithms, Virbox Protector provides additional license to protect (Virtualization) the functions, algorithm contained in the .so libs. pls refer relevant sections.
Go to "Native libs"
Click the "Select Files" (libs) to select the files to be protected;
Click to select the "Hide Symbol Table" (Optional)
6. Click to Start the "Protection" Process
Click "Save Selected Configurations" to save the configuration files. or Click "Save all configuration" if you have set multiple projects; after saved, you will find a new "ssp" configuration file, in below example, the "01.adobe.reader.apk**.ssp**" has been generated in the output directory.
Click "Protect Selected Project" to start the protection process, a new protected project will be generated.
In below example.
the protected Apk project in this sample is located in the new sub directory generated:
\protected
the configuration file which stored the protection option setting information also be generated which can be used for next version update.
01.adobe.reader.ssp.apk.
7. Backup the source project. use the protected file for further security testing and save the "configuration" file.
Signature Option: it is not recommend to select this option for APK project Publish in Google Play Store.
When you finalize all of evaluation and testing to the protected APK project. next step is publish your APK project in Google Play Store.
When we set the "Protection Option", we have recommend if you want to publish your APK project in Google Play Store, then use Google's signature and no need to use Virbox Protector signature option to avoid the signature conflict and crash in execution. so, when you set up in your Google account. you need to select "Let Google manage and protect your app signing key"
Rest of setting for publish in Google play store, just follow up Google instruction. for more detail, you may refer Google official instruction
https://support.google.com/googleplay/android-developer#topic=
Protection Process by Virbox Protector CLI tool
Similar to protect other applications, Developer will have 2 options to protect AAB package.
Option 1:
Use Virbox Protector GUI tool to protect and generate the "Configuration" file which to save the "Protection Option" setting. by Click "Save Selected Configuration"
Save the "configuration" file with the same folder of your AAB package, use Virbox Protector CLI tool to protect your Apk package.
Option 2:
Use Virbox Protector CLI to protect Apk package directly, with option and argument which specify the protection options.
Here we introduce the option 1 and option step by step as following:
Option 1
1. Generate the .ssp, the configuration file which save the "Protection Option"
Before to use Virbox Protector CLI tool to start protection, you need to generate a "configuration" file which store the setting information of "protection option" to the APK which need to protected.
Open Virbox Protector Standalone GUI tool and sign in with your account and password.
Please refer the protection process by use of Virbox Protector GUI tool above to set the configuration in: Function option tabs, Protection option tabs, Resource Encryption tabs and Native library tabs, and click "Save All Configuration"
then go to the output directory. you will find the .ssp file has been generated. see sample file attached.
Put the configuration file which generated by Virbox Protector GUI tool in first step into the same directory of the Android APK located.
virboxprotector_con <file_path> <options ...> -o <output_path>
To generate a configuration file is optional, if no configuration generated, then when you use Virbox Protector CLI tool to protect APK/AAB file, the protected APK/AAB will not be signed, on default.
Option 2
Run the Virbox Protector CLI tool: virboxprotector_con
Open a console terminal, Go to the Virbox protector's installation folder in your machine, and find the virboxprotector_con,exe and open it in command line terminal:
The on default installation directory in windows system is:
C:\Program Files\senseshield\Virbox Protector 3 Trial\bin
The on default installation directory in Linux system is:
/usr/share/virboxprotector/bin
Input:
virboxprotector_con.exe
to view the help info
Use Virbox Protector CLI tool to protect to protect the APK directly
virboxprotector_con <file_path> <options ...> -o <output_path>
For most of application types, Virbox Protector CLI tool will recognized application types and protect the application with protection option on default.
Another ways is developer use "Long command line:" to specified protection options:
Long Command Line syntax
Virboxprotector_con --{opt}=value
value =1 means "Switch on", Value=0 means "Switch off"
For example
--mem-check=1
, --jit-enc=0
Long Command Line setting: Protection Option setting
Use --help=apk
to view help:
After protection completed, the system will return message protection succeed.
Last updated