-3

I'm trying to develop an app with self-encryption for android.

The idea is following:

  • app should perform it functions (for example display "Hello world!") but...
  • the app code stored fully (partially) encrypted, i.e. "all what can be encrypted should be encrypted", so it can not be read by simple disassembling in a right way (i.e. it is literally encrypted (by AES for example) so it is represented to system as a number of random commands/symbols or smth. incorrect).
  • the "part" of the app should be decrypted before execution;
  • unused "parts" of the app should be decrypted after usage;
  • all operations mentioned above should be done by app itself.

So the core idea is self-encryption.

I know what is obfuscation so please don't mention it. The same thing with any side apps. I'm not going to spend all rest of my life in reverse-engineering))). So...

  • What is the right way to self-encrypt Android (JAVA) code?
  • How can be implemented the algorithm mentioned above?
  • Please provide any code snippets if u are able to do such things OR any links/information/articles/pseudocode/ideas

I thing the idea is great and really interesting, plus many people will be glad to know how to protect their apps.

[EDITED] Thanks @Pace and @JimmyB for custom ClassLoader idea. I'll try to implement it. Also my thanks to @xalo which proposed metamorphic engine concept, I'll dig into this theme because i think it will satisfy my goal to a greater extent.

Lil Bro
  • 236
  • 1
  • 7
  • This question is too broad for this site. You would probably want to create a custom classloader. – Pace Oct 19 '17 at 15:32
  • You can look into using/implementing a custom [`ClassLoader`](https://developer.android.com/reference/java/lang/ClassLoader.html) which decrypts classes as they are loaded. However, *if* your app can 'decrypt' the code, so can any attacker/hacker. – JimmyB Oct 19 '17 at 15:45
  • Thank you guys for a custom ClassLoader idea. And now i understand that my question is really too broad ((( – Lil Bro Oct 20 '17 at 08:05

1 Answers1

2

You shouldn't try to self-encrypt your app, it will add a lot of complexity for not so many protection.

In fact, hacker just have to reverse your decryption routine or to dump memory once the app is running.

Best way to protect against reversing as Java/Android app is obfuscation.

You can also look into remote metamorphic engine concept https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Amro-Abdelgawad-The-Remote-Metamorphic-Engine.pdf

xalo
  • 285
  • 1
  • 10
  • Yeah, you are right. The hacker can dump memory every time the app is running. I forgot to tell that it was supposed that user has unrooted device and there is no way to run encrypted app without a permission (from server for example). So encrypting should save the situation to protect copied files from disassembling. Am i right? – Lil Bro Oct 20 '17 at 08:03