3

I recently heard of a software security company that makes your code hack-proof in terms of reverse engineering and code modification. Their technique is this:

They insert checksums in multiple check points in the code that secure the code between them. As the code flow is executed at every checkpoint the checksum is checked and if the code has been tampered with then the checksum fails and you know there has been code modification. If a checkpoint is removed then the next checkpoint will also fail because a checkpoint has been removed.

To buy their services would be completely out of budget for my project (an Android application) however I would like to implement that technique on my own.

Could someone offer some insight on how something like this could be implemented ? Also if there are other methods that one could use το prevent code modification please share.

(Just to clarify I'm aware of obfuscation, weird missleading code logic, and writing fake methods to further make the code difficult to read and will apply these methods too )

Anonymous
  • 4,470
  • 3
  • 36
  • 67
  • 2
    An attacker would simply remove all the checksum tests. Identifying those, removing them, and recompiling the balance is unlikely to be especially difficult for a skilled attacker. "Also if there are other methods that one could use το prevent code modification please share" -- don't write anything that runs on the client. – CommonsWare Mar 16 '17 at 18:18
  • Well I just described the basic idea..obviously that company has implemented it in such a way that makes it unbreakable (or nearly unbreakable) but I don't know the inner workings. They have clients like banks and credit cards companies so I m guessing they re worth their money – Anonymous Mar 16 '17 at 18:25
  • 2
    You'd be guessing wrong. You'd be shocked at how much useless snake oil is bought because some non-technical manager got excited over vaporware. – Gabe Sechan Mar 16 '17 at 18:26
  • 2
    There is no way to protect yourself completely from reverse engineering, because eventually your app has to be decompiled to bytecode/assembly language that is run by the processor. If nothing else, it's vulnerable at that point. You can put in speed bumps, but that's it. And honestly those are of dubious use. – Gabe Sechan Mar 16 '17 at 18:28
  • At the very least it would make it much more difficult...My app will not hold CIA secrets so I don't think someone will go through all this trouble just to disable in app purchases of 1$ – Anonymous Mar 16 '17 at 18:30
  • 2
    You're worried about the wrong things. If you have some amazing new algorithm, patent it. That's your protection. If not, then there is nothing in your app difficult enough to recreate to be worth protecting. Instead you should worry about protecting your data, which is more about correct use of encryption/authentication/authorization and design of your dataflow than anything else. The idea isn't to make it impossible to reverse engineer (which won't work anyway), its to make it so that even if they do it gets them nothing because the data is safe. – Gabe Sechan Mar 16 '17 at 18:31
  • 2
    More importantly, to paraphrase Tim O'Reilly, your problem is not piracy, but obscurity. You can spend countless hours inventing some scheme to stop those who might crack your app and avoid the in-app purchases, or you can spend that time marketing the app to the people who will actually pay for it. – CommonsWare Mar 16 '17 at 18:33
  • No there is no breakthrough algorithm in there...Just trying to avoid having my app cracked and uploaded to use without paying for the premium features.... – Anonymous Mar 16 '17 at 18:34

2 Answers2

2

prevent code modification techniques

There is not any trick for complete avoidance of reverse engineering.

You basically can't protect your application from being modified. And any protection you put in there can be disabled/removed. If you have the option of including shared libraries, you can include the needed code in C++ to verify file sizes, integration, etc

Darish
  • 11,032
  • 5
  • 50
  • 70
1

Hack-proof is a very loosely defined term. Even if you implement checksums on various portions of your code, there are many other exploits that you need to be aware of that would be outside of modifying the source code like injection, authentication, etc.. My recommendation to you is to worry less about how to prevent someone from modifying your code and focus more on protecting the vulnerable areas if they were to modify your source code including hashed and salted passwords, encrypted data transfer, etc..

Preston Martin
  • 2,789
  • 3
  • 26
  • 42