8

I have a free to download Android app, which comes with in-app purchase item (Non-consumable Items)

Recently, I found several black markets carry my Android app, with all the in-app purchase item can be accessible freely.

I was wondering, how does the crackers do so? This is what I had done on my side.

  • Have proguard to obfuscate my Android code.
  • Have the following in-app purchase code from Google official example. my onCreate will trigger updateIsPremium.

The code is as follow

private void updateIsPremium() {
    if (mHelper != null) {
        return;
    }

    /* base64EncodedPublicKey should be YOUR APPLICATION'S PUBLIC KEY
     * (that you got from the Google Play developer console). This is not your
     * developer public key, it's the *app-specific* public key.
     *
     * Instead of just storing the entire literal string here embedded in the
     * program,  construct the key at runtime from pieces or
     * use bit manipulation (for example, XOR with some other string) to hide
     * the actual key.  The key itself is not secret information, but we don't
     * want to make it easy for an attacker to replace the public key with one
     * of their own and then fake messages from the server.
     */
    String base64EncodedPublicKey = "...";

    base64EncodedPublicKey = decrypt(base64EncodedPublicKey);

    mHelper = new IabHelper(MyApplication.instance(), base64EncodedPublicKey);

    // enable debug logging (for a production application, you should set this to false).
    mHelper.enableDebugLogging(false);

    mHelper.startSetup(new IabHelper.OnIabSetupFinishedListener() {
        public void onIabSetupFinished(IabResult result) {
            Log.d(TAG, "Setup finished.");

            if (!result.isSuccess()) {
                // Oh no, there was a problem.
                // (Do not use alert dialog. It is difficult to handle it
                // correctly due to bug in v4)
                //Utils.showLongToast(getString(R.string.problem_setting_up_in_app_billing_template, result.toString()));
                return;
            }

            // Have we been disposed of in the meantime? If so, quit.
            if (mHelper == null) return;

            // IAB is fully set up. Now, let's get an inventory of stuff we own.
            Log.d(TAG, "Setup successful. Querying inventory.");
            //mHelper.queryInventoryAsync(mGotInventoryListener);

            // http://stackoverflow.com/questions/15471131/in-app-billing-v3-unable-to-query-items-without-network-connection-or-in-airplan/15471951#15471951
            // Not sure this is going to help to solve the problem :
            // In-app billing v3 unable to query items without network 
            // connection or in airplane/flight mode
            List<String> skulist = new ArrayList<String>();
            for (Shop shop : Shop.values()) {
                skulist.add(shop.sku);
            }
            try {
                mHelper.queryInventoryAsync(true, skulist, mGotInventoryListener);
            } catch (java.lang.IllegalStateException exp) {
                // Ugly fix on mystery crash :
                // java.lang.IllegalStateException: Can't start async operation (refresh inventory) because another async operation(launchPurchaseFlow) is in progress.
                Utils.showLongToast(getString(R.string.failed_to_query_inventory_template, exp.getMessage()));
            }
        }
    });
}

// Listener that's called when we finish querying the items and subscriptions we own
IabHelper.QueryInventoryFinishedListener mGotInventoryListener = new IabHelper.QueryInventoryFinishedListener() {
    public void onQueryInventoryFinished(IabResult result, Inventory inventory) {
        Log.d(TAG, "Query inventory finished.");

        // Have we been disposed of in the meantime? If so, quit.
        if (mHelper == null) return;

        // Is it a failure?
        if (result.isFailure()) {
            return;
        }

        Log.d(TAG, "Query inventory was successful.");

        final MyOptions myOptions = MyApplication.instance().getMyOptions();
        myOptions.setInventory(inventory);

        /*
         * Check for items we own. Notice that for each purchase, we check
         * the developer payload to see if it's correct! See
         * verifyDeveloperPayload().
         */

        // Update shop information.

        boolean atLeastBoughtOne = false;
        for (Shop shop : Shop.values()) {
            final Purchase purchase0 = inventory.getPurchase(shop.sku);

            final boolean mIsPurchase0 = (purchase0 != null && org.gui.billing.Utils.verifyDeveloperPayload(purchase0));                

            if (mIsPurchase0) {
                atLeastBoughtOne = true;
                myOptions.bought(shop);
            } else {
                myOptions.cancel(shop);
            }
        }

        myOptions.turnOnShopChecked();
    }
};

// We're being destroyed. It's important to dispose of the helper here!
@Override
public void onDestroy() {
    super.onDestroy();

    if (this.isFinishing()) {
        // very important:
        Log.d(TAG, "Destroying helper.");
        if (mHelper != null) {
            try {
                mHelper.dispose();
            } catch (java.lang.IllegalArgumentException ex) {
                Log.e(TAG, "", ex);
            }
            mHelper = null;
        }
    }
}

// The helper object
public static IabHelper mHelper;

May I know, how does cracker able to reverse engineer my obfuscated code?

I was wondering, is there any more pre-caution steps I can take, to avoid my in-app purchase item being cracked? Will App Licensing help? My understanding on App Licensing is that, it is only useful for "paid app", not "free app with in-app purchase items"

AstroCB
  • 12,337
  • 20
  • 57
  • 73
Cheok Yan Cheng
  • 47,586
  • 132
  • 466
  • 875

4 Answers4

2

Reverse-engineering obfuscated code is actually not that difficult. I've done it for legitimate reasons, such as figuring out how to use a very poorly-documented library that some suit had committed us to using without consulting the development team. You just decompile the app or library and load it up in your IDE. The names of public methods can't be obfuscated, so you start from there, figure out what's what, and use your IDE's refactoring tool to start giving everything meaningful names. You can completely reverse-engineer an app in about a day.

For all practical purposes, you are powerless to prevent this kind of hacking. If your app can be run, it can be decompiled. If your media can be viewed, it can be copied. The only way to stop this would be to encrypt your software so it can only be run on a proprietary device with an embedded key, tamper sensors, and a self-destruct mechanism. That's why the software and media industries have been seeking legal rather than technical solutions -- or hybrid solutions where they come up with some totally worthless technical solution and then issue legal challenges to anyone who circumvents it.

Kevin Krumwiede
  • 9,868
  • 4
  • 34
  • 82
  • I do know how to convert dex to jar, and use java decompiler to decompile the jar file, into bunch of obfuscated source code files. However, my feeling is that, it is almost impossible to re-compile the bunch of obfuscated source code files, back to APK. Do you know any of such technique? – Cheok Yan Cheng Jan 28 '15 at 09:14
  • 1
    @CheokYanCheng apkanalyser from sony allows for `Modify the APK file with predefined Dalvik bytecode injections.` – marcinj Jan 28 '15 at 09:18
2

You should investigate those changes yourself. I assume your app was modified by hackers, so you probably can download it. Then you should decompile it your self, then decompile also your original app, and using diff tool find differences. This is how I do it:

I use apkanalyzer from sony to generate smali code:

http://developer.sonymobile.com/knowledge-base/tools/analyse-your-apks-with-apkanalyser/

save all the smali code in one folder, for hacked apk. And do the same for original apk. Then use some folder diff tool.

This way you will find what hackers have done to your app, and be able (possibly) to add fixed that will make hackers (possibly) unhappy.

marcinj
  • 48,511
  • 9
  • 79
  • 100
0

You have to understand how to crack android applications at first.

There are many tutorials on the internet, and here is a tool I've coded recently: http://forum.exetools.com/showthread.php?t=16538

Yaser Alnajjar
  • 395
  • 5
  • 18
0

Obfuscate is only minimum guard. And you are using exactly the same as Google example. Everyone knows it. You must modify it!

  1. Did you verify the signature?
  2. Did you use developer payload on your server?

Follow these guidelines and you will be safe. This is a good stuff. http://developer.android.com/google/play/billing/billing_best_practices.html

As addition, I don't think App Licensing will make it safer. It just the same thing if cracker can read your codes. Just bypass the License Check and share the apk.

stuckedunderflow
  • 3,551
  • 8
  • 46
  • 63