Reverse Engineering Apps. A Primer

Share if the site was helpful

Reverse Engineering Apps.  A Primer

Reverse engineering is a pretty cool concept.  Someone builds something, you want to see how they did it, so you take it apart and see how it was put together in the first place.   It can be a great way to learn, and it pushes technological progress forward.  But there’s also a dangerous side to it.

Reverse engineering done with malicious intent can lead to copyright infringement or other damages.  It’s a fine line to walk on for what is ethical and what isn’t, and that doesn’t change inside of the Android world.  In here reverse engineering is common and developers should always account for it when building apps to make sure they’re taking necessary precautions.

The term for reverse engineering an app is “decompiling”, and what you’re decompiling is an APK (Android Package Kit).   This is essentially just a .zip file that stores our apps code.  You build an APK when you compile your code and use that APK to upload the app onto the Google Play Store.  This is then what users around the world download onto their devices.  And if they’re tech-savvy enough, they can open up this APK and see what’s inside.

Why Decompile?

Let’s take a second to think about a couple reasons why we would want to decompile our APKs.  One possibility is that we’ve misplaced our source code and are hoping to recover it.  If this was the case then we could decompile our app from a phone it was already on. Note that this has its limitations as the decompiled code will not be the exact same as the original.  Some parts will be lost along the way, so make sure you save your code on Github!

Another possible reason for decompiling an app would be to evaluate its security.  If you’re able to see things you want to keep private simply by decompiling an app, other people can too.  And chances are they won’t always be decompiling for education purposes.  I’ll be following up on this blog shortly with another one going more in depth on how to properly hide secrets in your apps.

And of course there’s always decompiling for modding purposes. If you reverse engineer an app and put it back together how you want then you can add new features or customize how things behave.  Here’s where I throw in a disclaimer that you should make sure you’re a law abiding citizen while doing these things.  Lots of companies/developers would be very unhappy to hear that someone is decompiling their apps to make monetary gains.

How To Decompile?

The good news is that if you want to decompile apps on your own, you absolutely can!  You’ll need to download a popular tool known as apktool, and also make sure you have java set up on your computer.    Here’s an great video showing how to use apktool to theme and edit android apps.

 

Want to know more about decompiling apps?  Don’t worry we’ll be writing lots more on it soon, but in the mean time let us know what you want to know in the comments below!

Malicious Apps: Mining Your Own Business

Share if the site was helpful

Malicious Apps: Mining Your Own Business

Whether you know it or not, you may be an investor in bitcoin.  Ok, that’s not entirely true.  But your phone may have helped someone else mine it without your consent.

Researchers at Kaspersky Lab, a cybersecurity company, have recently found multiple “mining” apps on the Google Play Store that are disguised otherwise.  Apps hiding under the mask of games or streaming apps have secretly been using smartphone processors to mine cryptocurrency without the user’s knowledge.

Mining in Smartphones

Thanks to its recent news hype, most people are familiar with the concept of cryptocurrencies such as Bitcoin and how it’s mined.   There’s no physical digging, but instead users are rewarded the currency in return for processing transactions and updating the blockchain ledger.  And since processing transactions takes hardware and electricity, the more technology you have at your disposal, the more currency you can earn.  This has resulted in giants entering the business and consolidating massive amounts of hardware in warehouses.

Smartphone processors are not as powerful as their desktop counterparts, but when one app is able to tap into thousands of them, the results are still significant.   Kaspersky Labs has found multiple apps with this affliction, some of which have been downloaded more than 100,000 times.  Some of these apps are even programmed to keep tabs on how much processing power their using so as to easily fly under the radar of the average user.

Google’s response

Google has since removed the known abusers of this tactic, but it’s hard to say how many apps are in public hands right now doing the same thing.  It also seems that the betrayal of trust isn’t the only underlying issue here.  Recently Google announced that it would remove any and all mining extension in the Chrome Web Store, regardless of if users were aware of what they were doing or it the extensions were legitimate.  The question remains whether this policy will expand into the Google Play Store, but I think it’s safe to assume it’s only a matter of time before it does.

And until then the question becomes how to avoid these kinds of apps.  Right now from a development standpoint there are no permissions that must be accounted for in relation to mining, so there doesn’t seem to be much security that can block these kinds of apps (other than mindful downloading).

What are your thoughts on your phone being used as a mining tool without your consent or knowledge?  Do you have any thoughts on how to prevent this?  Let us know in the comments below!

Building Your First Augmented Reality App

Share if the site was helpful

We’ve talked before about how influential augmented reality is going to be in the future.  What we didn’t mention is how easy it can be to take part in shaping that future.  Over the course of the next two posts we’ll show how to incorporate AR into an app, and when it’s all said and done we’ll be able to look at a virtual elephant in the real world.

It’s not too complicated as far as subject material goes, but there a couple steps involved so we’ll split this into two pieces: gathering our resources and then putting them into action.

Before we do any work though, let’s take a second to discuss the bigger picture of what we’ll be doing here.  If you’ve ever experimented with game development, then you’ve probably heard of Unity.  If not, then some things in this tutorial may seem a little confusing at first (but far from impossible!).  Unity is a development environment where developers can make 2D and 3D games, and we’ll be using it here to host our augmented reality app.  Click here to download Unity, and when you do make sure that you include the Android/iOS and Vuforia plugins.

We all know about Android and iOS, but odds are Vuforia is a new name.  Vuforia is a popular AR platform that allows us to use image targeting in our apps.  Essentially all we have to do is pick a 3D model and an image.  Vuforia will then root our 3D model to any images it sees in the real world.

For example, in this app we’ll be using a 3D model of an elephant made with Blender, and the image will be a $1 bill.  With this combination, any time our app’s camera finds a dollar bill in the real world, it will place the 3D model on top of it.  The result is the title image of this post.

Ok, that’s enough background.  Let’s jump into the actual set up.  Use the above link to download Unity if you don’t already have it, and then go to developer.Vuforia.com and create an account.  After you’ve made an account click on the develop tab and then click to create a new license key.  You can name this anything you want, but as you can see in this image I chose “VuforiaElephant” as my name.

After creating the license key you’ll be able to click on it and see a string of random characters representing it.  Copy and paste this value; we’ll be using it later in this tutorial. 

We create this license key so that our app in Unity will be able to connect to our Vuforia account.  Now for the second step we’ll need to do create a database inside of Vuforia to hold our dollar bill image.  Change your selection from License Manager to Target Manager and then add a new database.  I’ve named mine “DollarElephant”.  Inside of this database we’ll click “Add Target” to add a new target.  Pull any image of a dollar bill from Google images and add it here.  Then set it’s width value to 5 and give it a name (dollarTarget is just fine).

When you’re done with this click to download the database, and that’s everything we’ll need to do in Vuforia.  Before moving into Unity let’s also get the 3D model of an elephant we want to use.  Click here to download the elephant made by sagarkalbande (and feel free to try this out with a different model).  Save this file onto your computer and now let’s move into Unity.

If you’re feeling overwhelmed right now, don’t worry we’re not going to do much else in this first part.  For now let’s open Unity and create a new project named “VuforiaElephant”.  Go to “File”, then “Build Settings” and select Android as your Platform.  After making this change the little Unity cube should appear next to Android.

Finally inside of the Build Settings window click on “Player Settings” and a bar of options will appear on the right side of your screen showing setting options.  Open the tab that says “XR Settings” and check the box that adds Vuforia Augmented Reality to our project.  Go ahead and import the settings that Unity says it needs to add, and now we’re ready to start the fun stuff.

If you’ve made it this far down the blog, then good work sticking through the dry steps.  We created a Vuforia account, made a license key, and selected a dollar bill as our image target.  Then we downloaded our elephant 3D model and created a new project in Unity.

So now we just have to make the connection inside of our Unity app between the dollar and the elephant.  Stay tuned for the second part of this tutorial in the next few days and we’ll finish out the project so that everyone can have their own virtual elephant! Does app development have you completely lost? Check out Phonlab Android app development classes HERE

en English
X