Hello guys
Hello guys,
It is very interesting, I was afraid about how to hide private REST API calls from Android binary decompilation (since this type of reverse-engineering is successful for many applications hosted at Google Play), but Delphi built applications are immune to APK decompilation once there is no Java code generated into classes.dex, tools such as ShowJava, jadx, Android APK Decompiler are not able to catch any usable code from the logic of your application. Your application is more safe than Android JDK (traditional way) built ones and Xamarin built ones which also suffer on similar problem (these apps have a *.dll file attached into *.apk that contains the .NET's IL code, the tool ILSpy easily shows the decompiled C# code).
It is very interesting, I was afraid about how to hide private REST API calls from Android binary decompilation (since this type of reverse-engineering is successful for many applications hosted at Google Play), but Delphi built applications are immune to APK decompilation once there is no Java code generated into classes.dex, tools such as ShowJava, jadx, Android APK Decompiler are not able to catch any usable code from the logic of your application. Your application is more safe than Android JDK (traditional way) built ones and Xamarin built ones which also suffer on similar problem (these apps have a *.dll file attached into *.apk that contains the .NET's IL code, the tool ILSpy easily shows the decompiled C# code).
Decompiling is the least of your worries if you use unsafe private APIs, as that would be taking the hard way.
ReplyDeleteThe much, much simple way would be to just use tools like wireshark or fiddler, and code obfuscation will not help you in the least vs those, only proper encryption would (and proper encryption is not reliant on obfuscation)
Having compiled binary code offers some security advantage, also because of the runtime has security issues (remember Java?) your application is not affected. But Eric Grange is absolutely right, HTTP communication can be intercepted. HTTPS, if properly implemented, could protect you a bit more.
ReplyDeleteMarco Cantù yes, https, and generally speaking going through OS APIs that are protected is the way to go.
ReplyDeletePretty much any communication you do on the application-side will be vulnerable in ways that will not even involve decompiling. Compiled binaries will help protect your algorithms, but will not protect your communications, secret keys, private APIs, certificates etc.
And the most sensitive operations should ideally target the TEE (https://en.wikipedia.org/wiki/Trusted_execution_environment), which is running outside the mobile OS itself.