How to hide algorithm from disassembler?

E

Evgeny Kumanin2018-10-05 10:14:21

Java

Evgeny Kumanin, 2018-10-05 10:14:21

In a nutshell about the task.
There is an application in the Play Market and its main part is a regular application and its code does not contain any valuable information. Also in this application there is an interface:

public interface IEncoder {
    byte [] encode(int id1, int id2, Context context) throws Exception;
}

The class that implements this interface must be hidden from possible viewing of this algorithm. This class generates a key according to a certain algorithm (AES 128) and with this key we encrypt id1 + id2 + random () and pass this string to a device that uses a key generated by the same algorithm, decrypts the data with this key, and if the sequence matches, then it makes certain actions.
Possible solution:
The algorithm is generated on the server (jar file or class) and transferred to the application in encrypted form. The application downloads this file and decrypts it before execution. The main problem is where to write the key to decrypt this class so that the user cannot get this key.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

O

OnYourLips, 2018-10-05
@OnYourLips

Security through obscurity, especially unprofessionally done, will not lead to anything good.
Move part of the logic to the server, do not trust the client.

C

CityCat4, 2018-10-05
@CityCat4

Security through obscurity usually leads to the fact that someone straight-forward, with a lot of time and desire (the ideal intruder is motivated, prepared, provided with time :) ) hacks this algorithm of yours and then laughs all over ...

J

jacob1237, 2018-10-05
@jacob1237

If you want to "hide" the implementation of the algorithm, it's best to do it on the server. In this case, you will need to send only one request with a minimum amount of data (via a secure channel).
As an alternative transport option, you can use SMS: the application will send an encrypted SMS to a specific number, and at the other end, the server will process the SMS and send back the same encrypted SMS, which will contain the key.
If none of these options are suitable, it is best to write an implementation of the algorithm in C (as already advised above), but C can also be decompiled if you really want to. Software like IDA Pro solves such problems with a bang.
The only way to somehow hide and complicate disassembly is to use various binary code obfuscation techniques. This topic is especially popular among virus writers. They use the so-called. "cryptors", one of the varieties of which is a polymorphic cryptor. In a polymorphic cryptor, virtualization
is often used to protect the code from analysis by an antivirus. In other words, you must write a virtual machine under which you will compile your algorithm. In this case, the code will be executed by a virtual machine and the source code of the algorithm cannot be decompiled without knowledge of the VM device. In order not to write everything yourself from scratch, look at these links and google about virtualization obfuscation : vmpsoft.com
- software that does exactly what you need
https://oreans.com/codevirtualizer.php - similar software
https://www.reddit .com/r/ReverseEngineering/commen...
https://github.com/fritzone/obfy - small C++ framework for code obfuscation.
In general, all these options (except for the option with requests to the server) will not provide 100% protection against code decompilation.

S

stul5tul, 2018-10-05
@stul5tul

Hook a binary library made with the Android NDK.
The code is written in C/C++/Go, etc.
It is also disassembled, but already much more complicated than the code for the JVM