6

Is there a way to somehow 'protect' a native shared library (.so) for the Android platform against binary changing? E.g. someone could overwrite a JMP instruction with a NOP after reverse engineering the application, and distribute that library to rooted devices.

Is there anything someone can do?

What I'm looking for here is ideas about implementing a series of checks (e.g. encryption, checksumming etc). Of course since the platform does not look like it offers support for this (correct me if I'm wrong) it would have to be all 'client-side'. Thus the whole thing is a bit futile, but at least will hinder reverse engineering some.

AstroCB
  • 12,337
  • 20
  • 57
  • 73
AndroidSec
  • 299
  • 1
  • 5
  • 13
  • Of course you can implement SO protection by letting it calculate its own checksum, encrypt parts of its code itself. It's all similar to what was done in Windows for years (but harder). But if you don't have experience with protecting modules on Linux, you better not start. I don't know if there exist pre-created protection products for your task. – Eugene Mayevski 'Callback Mar 10 '13 at 07:50
  • Thank you @EugeneMayevski'EldoSCorp. I'd like to try - how do you calculate your own checksum? – AndroidSec Mar 10 '13 at 12:59

1 Answers1

4

Yes there are things you can do, and they will make it very challenging for the Reverse Engineer, but I doubt you'd be able to do anything that would stop Chris Eagle.

The best way to protect from modification is to take a SHA-2 of the .so after you compile it, and rehash each time at runtime, matching it against the known value. This check will be enforced on the client side, so a skilled RE could just modify the binary to ignore the check. It does make it a bit harder though. If you put checks all throughout your code and use different checking techniques then it extends the amount of work the RE has to do. Do know however that Microsoft has poured millions of dollars into anti-RE techniques and there are still pirated copies of Office and Windows out there. You'll never stop them all. My personal philosophy (now that I've studied RE myself) is that it is ultimately too much of a pain to try and stop them. Just make a good app, make it cheap, and people will buy. The miscreants that steal your stuff wouldn't have bought it anyway.

If your app calls home you could also submit the hash to the server for verification. Of course and RE can still bypass this but it is one more thing to do.

Freedom_Ben
  • 11,247
  • 10
  • 69
  • 89