Android NDK possibility of decompiling native code

Question

Is is possible to decode native code compiled and liked to android through ndk ?

and is it possible from the apk to reconstruct the project and import it to eclipse (or any other IDE)?

is it possible to use the .so files in the apk file again to reconstruct the project or with another project if the java native function declaration is done appropriately?

@Michael Todd not really, I just want to make sure my code is secure. — , Mar 04 '15 at 20:18

score 3 · Accepted Answer · answered Mar 04 '15 at 20:30

3

Decompiling native to source code is (probably, I wasn't trying it) possible, there are some tools like this https://www.hex-rays.com/products/decompiler/

It's possible to reconstruct project from apk but code will be obfuscated (weird class and method names). You may check your app against apk2gold (https://github.com/lxdvs/apk2gold)

As for your last question, with a little effort - yes.

answered Mar 04 '15 at 20:30

jaroslawj

462
2
12

I thought if I made my native code do some checking on package names and crash if they are changed. would that help? @jaroslawj – Mar 04 '15 at 23:13
To some extent - yes. But reverse engineering of your library can "disable" this limitation or change checked package name. You may check "strings" command on your .so file - it will show you visible symbols. Attacker can also "adapt" your package naming in his Java code... – jaroslawj Mar 05 '15 at 06:04
Have you read this one: http://fuzion24.github.io/android/obfuscation/ndk/llvm/o-llvm/2014/07/27/android-obfuscation-o-llvm-ndk/ ? – jaroslawj Mar 05 '15 at 06:06

score 1 · Answer 2 · answered Mar 04 '15 at 20:30

Is is possible to decode native code compiled

No.

is it possible from the apk to reconstruct the project

Yes, a lot of it. Extracting .class files is easy, decompiling mostly too. An obfuscation step in your build process will make this a lot more difficult.

However, constant values and initilizers are very easy to come by from a compiled class. Don't try something like private static String SECRET = "sesame123";. This is not at all difficult to reverse engineer. - The same is, by the way, valid for .so files too.

is it possible to use the .so files in the apk file again to reconstruct the project

No.

It depends on what you mean with "project". The functions and signatures of your native library are probably easy to recover from the corresponding (compiled) Java class in any case. The (source-)code is basically "lost" for good after compilation to native code. If someone knows how to use your shared library though (easy to figure out, see above), he would be able to use it in whatever app he likes.

To sum it up:

a) The source code cannot be reconstructed from compiled native code.

b) Java source is much easier to reconstruct from compiled .class files; obfuscation of the code can make it harder.

c) Any functionality your app may have, native or not, can quite easily be extracted and exploited by another app the attacker may write.

See also: http://en.wikipedia.org/wiki/Security_through_obscurity

"The source code cannot be reconstructed from compiled native code" -- while the original source code is lost, there certainly are native (machine) code decompilers. See http://reverseengineering.stackexchange.com/questions/311/why-are-machine-code-decompilers-less-capable-than-for-example-those-for-the-clr. — CommonsWare, Mar 04 '15 at 20:41
Yes, those are there. - Yet, with an agressively optimzing compiler like gcc with `O3`, decompilation is bound to fail - or rather: It yields hardly more than dis*assembling*. — JimmyB, Mar 04 '15 at 20:46
Oh, agreed. It is *harder* to decompile/disassemble and *harder* to mess with that way, but "harder" != "cannot". — CommonsWare, Mar 04 '15 at 20:51
Thank you for all the notes and recommendation you provided. — , Mar 04 '15 at 21:36

score 1 · Answer 3 · edited Jan 11 '17 at 18:22

Is is possible to decode native code compiled and liked to android through ndk ?

One can disassemble; there are C/C++ decompilers, but for really complex code they are nearly useless.

and is it possible from the apk to reconstruct the project and import it to eclipse (or any other IDE)?

it is possible to baksmali (disassemble) an .apk, to fix something in it, and to smali (assemble) it again. One can substitute some function calls by other function calls, and one can add new classes.

Decompiling to Java is also possible, but the code likely will not compile, so it is rather about analysis than about modification.

Obfuscated code is still readable, provided that they invest some efforts in analysis.

You can obfuscate the code, but they will see icons, they will find the resource ids, and they will find the onClick() button handlers.

is it possible to use the .so files in the apk file again to reconstruct the project or with another project if the java native function declaration is done appropriately?

They will have no problem with using .so as-is with another project (unless someone asks them to fix a bug in that .so). In the same way, they can make a .jar from your .apk and use that .jar as a library with another project.

In general, a .so it a bit more difficult to tinker with than a .jar .

is there anyway to prevent someone from using my code as a jar file for example and republish it? like reporting it to Google? — , Mar 06 '15 at 10:41
Since humans are more ingenious than robots, no, at least not automatically. You can only make it more difficult. But you can monitor the competitor's products and if you see some packages/classes/functions, like `com.package.hjh.Gjkjsfdl.jdsfgshhdfghj(String, String)` (no normal person would ever use such a function name), you can report the misuse. The easiest way is to use a specific log message when the app initializes. — 18446744073709551615, Mar 06 '15 at 10:50

score 0 · Answer 4 · answered Mar 04 '15 at 21:36

0

is it possible from the apk to reconstruct the project and import it to eclipse (or any other IDE)?

This can be done by dex decompilers and apk resource extractors.

Is is possible to decode native code compiled and liked to android through ndk ?

is it possible to use the .so files in the apk file again to reconstruct the project or with another project if the java native function declaration is done appropriately?

Once you get the shared object, you can include it in your own project. You can dump global symbols of library and learn its usage via decompiled Java code. However, if shared object is build against a specific architecture, you might not able to rebuild it across other platforms.

answered Mar 04 '15 at 21:36

Efe Kahraman

1,438
14
21

ndk builds for 7 or 8 archs. This means it is possible that those generated `.so` files will be used in any project. – Mar 04 '15 at 21:40
I thought if I made my native code do some checking on package names and crash if they are changed. would that help? – Mar 04 '15 at 21:41
Probably. You can check your apk validity through native code. This question can help you : http://stackoverflow.com/questions/15025304/check-apk-signature-in-c-native-code – Efe Kahraman Mar 05 '15 at 07:11

Android NDK possibility of decompiling native code

4 Answers4

Linked