[android-developers] Re: APKTool - decoding our apps
As the author of smali/baksmali (which apktool uses in the background) I wanted to chime in on this thread. I personally in no way condone using my tools for piracy, although I obviously can't restrict them from being used for that purpose. As many people in this thread have pointed out, there are many valid uses for assemblers/disassemblers. I'll try not to reiterate what others have already said in that vein, but I will add that having the ability to read, understand and modify an app can be invaluable. A quote that is commonly applied to electronics comes to mind If you can't open it, you don't own it. smali/baksmali is the screwdriver :) JesusFreke On May 11, 10:28 am, André pha...@hotmail.com wrote: Hello, I stumbled across this program on the web: http://code.google.com/p/android-apktool/ And realized that it works pretty well. I can decode the programs I've made from the apk files. I can't really say I like that. Does anyone know of a way create the apk file without having programs like this being able to decode and open them? -André -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
On 13 Mai, 19:17, Jay Gischer j...@gischer.net wrote: Let's say then, that someone comes out with a really nice way to handle some ui issues. It's very likely that they spent quite a bit of time evolving those ideas, trying things and throwing away a lot of things that didn't work. Sure, these ideas, this design, can be imitated, but writing the app that imitates them takes a lot of work. Unless someone uses your tool. In essence, your tool allows someone to pretend that they did work that was in fact done by someone else. It's cheaper for big company ( where money is) to hire this developer, than to reengeneer his work. And small ones (without money) do not have any money to extract from them. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
On 13 Mai, 20:21, Greg Donald gdon...@gmail.com wrote: So when someone gets murdered with a gun, you blame the gun manufacturer? American civil law system allows you to do this. Not sure though there was some success When someone breaks into your house, you blame the window manufacturer the crook climbed in through, or the crowbar he smashed your door lock with? It depends on promisses of window manufacturer. It this was shatterproof window designed to stand bazooka then I will blame manufacturer -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
On May 14, 6:38 am, Kumar Bibek coomar@gmail.com wrote: Good USE !!! that was funny... lol Bad people think that every person is similar to them, so they just don't believe anyone could do some good thing. This is your problem. lololololol... -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: APKTool - decoding our apps
On Fri, May 14, 2010 at 1:39 AM, ko5tik kpriblo...@yahoo.com wrote: It depends on promisses of window manufacturer. It this was shatterproof window designed to stand bazooka then I will blame manufacturer Exactly.. Java is compiled to bytecode with zero promises of being protected against decompilation, and as I already mentioned in this thread, it also fully supports reflection. If you want any sort of assurances against decompilation you should seek out a new language compiler. Personally I don't know of any that would suite your needs since decompilers exist for most everything these days. -- Greg Donald destiney.com | gregdonald.com -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
On May 14, 2:10 pm, Greg Donald gdon...@gmail.com wrote: Exactly.. Java is compiled to bytecode with zero promises of being protected against decompilation, and as I already mentioned in this thread, it also fully supports reflection. Yeah, I am terrified of all these Eclipse, Netbeans and other piracy tools. They don't only give you possibility to link your code against 3rd party, compiled code, but they also give you hints and auto- completing to help you using it :-/ -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
This whole thread is making me see red, thanks to people spouting off without knowing what they're talking about. I guess it's just an emotional topic. I was going to make the same point as you about Reengineering itself is an illegal use. But since you beat me to it, I'll point out that there are exceptions, both internationally, and under DCMA. And it violates many licenses -- though whether those terms are enforceable is dubious at best. But your core point is correct. This is NOT an inherently illegal OR immoral activity. That's pure fantasy. In no other field would anybody even dream such a thing, but for some reason, this field, it's a common fantasy, and occasional reality. The root problem here, I believe, is that a lot of developers have completely unrealistic expectations of how hard it is to reverse engineer something. -o2 compiled NDK code? Hah. People have reverse engineered entire operating systems, both from optimized high-level code and hand-coded assembler. Proguard is a good thing. It does a LOT more than just rename things, it also optimizes the byte codes, in ways that make it harder for decompilers. There are a lot of reasons to use it on a mobile platform -- but speed and size top the list, and inhibiting reverse engineering is way down on the list. Even on first exposure, it's not too hard to make sense of Dalvik byte codes. If someone REALLY is seriously interested in reverse engineering your application, they can write their own tool. But reverse engineering is hard work nonetheless. It's not often done wholesale as a piracy technique. Rebranding is so much simpler. Or reverse engineering the licensing checks. The main reason *I* have used such tools with Java is to track down problems -- including a few compiler problems. More often, the answer has been that the code we thought was running, wasn't actually the code we thought was included. But by far the biggest use is to identify problems with third-party libraries -- sometimes our fault, sometimes theirs. I've used the reverse engineering tools supplied with the Android SDK to look at the resources included in Google's own non-open-source applications. Yup, pulled them right off the phone with adb and ran aapt to reconstruct the original XML content., modulo comments, etc. Ran dexdump to disassemble the code, too. All part of the sdk. And pulling apart the .apk into its pieces happens to be built into my OS, once I told it what format it was. Make no mistake -- there are black-hat tools. But this is VERY CLEARLY not one. On May 11, 10:17 am, Raymond Ingles sorceror...@gmail.com wrote: On Tue, May 11, 2010 at 12:00 PM, Nathan critter...@crittermap.com wrote: It is a tool for reengineering 3rd party, closed, binary Android apps. It is NOT intended for piracy and other non-legal uses. It could be used for localizing, adding some features or support for custom platforms and other GOOD purposes. Baloney. Reengineering itself is an illegal use. Actually, reverse engineering itself is not illegal in the United States and in many other countries. There is no GOOD purpose it should be used for. It is a piracy tool pure and simple. Interoperating with existing code, learning coding techniques (and using non-patented ones), security auditing, etc. (Don't dismiss security auditing - google up android malicious app droid09 for an example...) Now, it may well be that the authors really did intend the tool to be for piracy and not any of the legitimate uses it may be put to. But you can't conclude that simply from the fact that they produced the tool itself. Of course, application developers are free to obfuscate or otherwise make reverse engineering as difficult as they like, too. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
Ryszard You should rethink, whether there is really any sense in stealing something from your app. Ideas, design and appearance could be stolen by just looking at it. Algorithms? It is really hard to analyze simple loop in smali code - it's asm, you know. If you really want to not let other people even look at your work, you should consider moving to iPhones. With this tool, you could take an existing app that took perhaps months to develop and in a day or two, change all the logos and cosmetics, and resell it as your own work. I don't say that you personally would do that, but it's certainly possible. What you are stealing is the time it took to write all those layouts and handlers and providers and so on. Let's say then, that someone comes out with a really nice way to handle some ui issues. It's very likely that they spent quite a bit of time evolving those ideas, trying things and throwing away a lot of things that didn't work. Sure, these ideas, this design, can be imitated, but writing the app that imitates them takes a lot of work. Unless someone uses your tool. In essence, your tool allows someone to pretend that they did work that was in fact done by someone else. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: APKTool - decoding our apps
2010/5/12 Ryszard Wiśniewski brut.a...@gmail.com Hi, I'm a maker of this apktool toolchain. I want to know, what, do you think, someone could steal from your apps? Some great algorithms? From phone app? Layouts? Localization strings? I'm not against decompilers and have no problem with the apktools project. Decompilers have a lot of legitimate uses. It is clear to me, however, that such a tool could be used to decompile an app and remove options that try to protect the app. This has been a pretty big problem for a lot of developers in the Android space where no DRM is used to protect the applications. -- Shane Isbell (Founder of ZappMarket) http://twitter.com/sisbell http://twitter.com/zappstore http://zappmarket.com -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
Yeah, I understand. What I wanted to say is Android wasn't designed to be secure. Most of things that apktool gives you are doable without it and within a reasonable time. Logos, you say? Just unzip apk file, replace some images, pack it, resign and that's it. Strings are harder, but as long as your replacement won't be longer then current value, it is simple find replace in resources.arsc file. Colors and other things in layouts are also very easy to modify directly in binary form. Voila, we've just built our own application in about 1 hour. Of course I won't say apktool does nothing ;-) It could simplify stealing, you gave good example of that in your comment. I just think no one should trust security by obscurity approach. Something is secure or it isn't. And if isn't then people shouldn't blame for this situation someone, who just see it and use it. Currently your applications could be modified without much effort and without any specialized tools, so if you are really worried about security, you should write to AOSP, don't you think? :-) And personally speaking, I could recommend you using code obfuscators. They really, really do their job - you can trust me ;-) (yeah, I'm working on some obfuscated code, but if you're curious, then no: I'm not cracking, removing some protection, stealing any ideas, code or resources, modifying credits nor reselling someone's app or any part of it) -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: APKTool - decoding our apps
On Thu, May 13, 2010 at 12:17 PM, Jay Gischer j...@gischer.net wrote: With this tool, you could take an existing app that took perhaps months to develop and in a day or two, change all the logos and cosmetics, and resell it as your own work. So when someone gets murdered with a gun, you blame the gun manufacturer? When someone breaks into your house, you blame the window manufacturer the crook climbed in through, or the crowbar he smashed your door lock with? I could go on, but hopefully now you can see the flaw in your logic. -- Greg Donald destiney.com | gregdonald.com -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: APKTool - decoding our apps
I understand why developers like Jay G. are upset but ultimately this problem lies with Google, not authors of decompilers. If the app is not encrypted on the device, hacking is dead simple. Keep in mind, DRM is patented encumbered so getting one on the device could easily drive up the cost of a handset by several dollars, which is a lot when there are millions of Android devices out there. There are many factors involved in these decisions but ultimately the cost of not implementing DRM has to be higher than the cost of doing so. Google and the handset manufacturers are not the one's that will feel the cost of this so it has to be the operators that eventually force the issue (they lose 30% of every pirated app). When getting feedback from developers for ZappMarket, piracy was always in the top three concerns they had. That is why some wanted to leave Android Market altogether. But nothing will work without Google and the handset manufacturers taking action. Solutions like SlideLock and AndAppStore licensing are susceptible to decompilers. Developers should keep in mind however, that the developing world only accounts for 4-5% of sales of applications from app markets. For example, even a 100% piracy rate in these regions would only be affecting 5% your potential sales, meaning that even if there were a proper DRM system in place, you are likely not going to see more than 5% uptick in actual sales from high piracy regions. On Thu, May 13, 2010 at 11:21 AM, Greg Donald gdon...@gmail.com wrote: On Thu, May 13, 2010 at 12:17 PM, Jay Gischer j...@gischer.net wrote: With this tool, you could take an existing app that took perhaps months to develop and in a day or two, change all the logos and cosmetics, and resell it as your own work. So when someone gets murdered with a gun, you blame the gun manufacturer? When someone breaks into your house, you blame the window manufacturer the crook climbed in through, or the crowbar he smashed your door lock with? I could go on, but hopefully now you can see the flaw in your logic. -- Greg Donald destiney.com | gregdonald.com -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.comandroid-developers%2bunsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- Shane Isbell (Founder of ZappMarket) http://twitter.com/sisbell http://twitter.com/zappstore http://zappmarket.com -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
I think a better analogy would be an anti-aircraft missile, you don't go deer hunting with a Stinger or SA-8, you use it to shoot down aircraft. Since this tool really has only one real purpose, to allow people to pirate code, I think the gun analogy is a bit off. On the other hand, if this person didn't provide such a tool, someone else would. It's obviously not a huge technical feat. Shane's point, that the pirated apps mostly are used in countries where the app can't be purchased are probably close to right on. In the US, I'm guessing that more than 95% of the users wouldn't know how to get a pirated app or would be afraid (and rightfully so) that some sort of malware or virus would be hitch hiking on that free app they just downloaded. -John Coryat On May 13, 1:21 pm, Greg Donald gdon...@gmail.com wrote: On Thu, May 13, 2010 at 12:17 PM, Jay Gischer j...@gischer.net wrote: With this tool, you could take an existing app that took perhaps months to develop and in a day or two, change all the logos and cosmetics, and resell it as your own work. So when someone gets murdered with a gun, you blame the gun manufacturer? When someone breaks into your house, you blame the window manufacturer the crook climbed in through, or the crowbar he smashed your door lock with? I could go on, but hopefully now you can see the flaw in your logic. -- Greg Donald destiney.com | gregdonald.com -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: APKTool - decoding our apps
On Thu, May 13, 2010 at 2:34 PM, Maps.Huge.Info (Maps API Guru) cor...@gmail.com wrote: Since this tool really has only one real purpose This tool has multiple uses. Go back and read the thread. For the tool to simply exist is not a crime no matter how much you want it to be. The tool itself doesn't go out and commit crimes, it takes a criminal for that to happen. Criminals were around long before the tool was. Even if you made the tool go away you'd only be keeping the honest guy honest. It's your sort of backwards thinking that makes society have to legislate to the least common denominator. -- Greg Donald destiney.com | gregdonald.com -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
An anti-aircraft missile has multiple purposes as well. It can be used as a hammer or paperweight, can be a really nice conversation piece in the living room or an auction item on e-bay. None of those are the real purpose though, sort of like this tool. -John Coryat On May 13, 2:46 pm, Greg Donald gdon...@gmail.com wrote: On Thu, May 13, 2010 at 2:34 PM, Maps.Huge.Info (Maps API Guru) cor...@gmail.com wrote: Since this tool really has only one real purpose This tool has multiple uses. Go back and read the thread. For the tool to simply exist is not a crime no matter how much you want it to be. The tool itself doesn't go out and commit crimes, it takes a criminal for that to happen. Criminals were around long before the tool was. Even if you made the tool go away you'd only be keeping the honest guy honest. It's your sort of backwards thinking that makes society have to legislate to the least common denominator. -- Greg Donald destiney.com | gregdonald.com -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: APKTool - decoding our apps
On Thu, May 13, 2010 at 2:56 PM, Maps.Huge.Info (Maps API Guru) cor...@gmail.com wrote: An anti-aircraft missile has multiple purposes as well. It can be used as a hammer or paperweight, can be a really nice conversation piece in the living room or an auction item on e-bay. None of those are the real purpose though, sort of like this tool. An anti-aircraft missile's most important use is to maintain security through mutually assured destruction. In the hands of the good guys that's exactly what it does. In the hands of the bad guys it MIGHT not be used for that purpose. You don't know either way. People are NOT guilty until proven innocent no matter how much you'd like it to be that way. One of the legitimate uses of this tool is to assist white-hat hackers in finding security flaws. Android apps are mostly closed source, so I welcome any white-hat hackers who would use this tool to locate any security flaws, to make my Android experience more secure. Where do you think all the entries on securityfocus.com come from? Clue: not the bad guys. The entries come from white-hats using tools just like this one to perform reverse engineering, to audit the resulting decompilation for flaws, very often manually with their own eyeballs, in their own spare time. You don't even understand what it is you're not being thankful for. -- Greg Donald destiney.com | gregdonald.com -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
You have an interesting analogy, though just because *you* say that the proper use for this tool is pirating code - doesn't mean it is. A missle is designed to travel, hit a target and deliver a payload. Of course you could use it as a hammer, but that's not it's purpose. Reengineering can be a practical solution. Using this to reengineering an application is the use. Yes you could also use this to pirate byte code, but that's not it's purpose. Heck, while you're at it can we start ranting about dedexer, http://dedexer.sourceforge.net/, smali/baksmali, http://code.google.com/p/smali/, and dexdump? These tools aren't new, in fact dexdump has been around since before all the devices where out and is distributed with the android source code. Yikes... Google must be supporting piracy since day one / sarcasm On May 13, 3:56 pm, Maps.Huge.Info (Maps API Guru) cor...@gmail.com wrote: An anti-aircraft missile has multiple purposes as well. It can be used as a hammer or paperweight, can be a really nice conversation piece in the living room or an auction item on e-bay. None of those are the real purpose though, sort of like this tool. -John Coryat On May 13, 2:46 pm, Greg Donald gdon...@gmail.com wrote: On Thu, May 13, 2010 at 2:34 PM, Maps.Huge.Info (Maps API Guru) cor...@gmail.com wrote: Since this tool really has only one real purpose This tool has multiple uses. Go back and read the thread. For the tool to simply exist is not a crime no matter how much you want it to be. The tool itself doesn't go out and commit crimes, it takes a criminal for that to happen. Criminals were around long before the tool was. Even if you made the tool go away you'd only be keeping the honest guy honest. It's your sort of backwards thinking that makes society have to legislate to the least common denominator. -- Greg Donald destiney.com | gregdonald.com -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
On May 13, 9:34 pm, Maps.Huge.Info (Maps API Guru) cor...@gmail.com wrote: I think a better analogy would be an anti-aircraft missile, you don't go deer hunting with a Stinger or SA-8, you use it to shoot down aircraft. Since this tool really has only one real purpose, to allow people to pirate code, I think the gun analogy is a bit off. If your assumption is: piracy = evil, without any exception, then yes, you are right. But I don't agree with this. Piracy is a general term describing all activities that are against the license. I'm quite sure, that when you are backuping all of your installed apps to save you some data transfer, you are pirating some of them. But you don't feel like a bad guy then, do you? Modded HTC_IME is 100 times better than original - second one definitely lacks some features. Installing modded version is pirating, but is it really so evil? It won't take money away of HTC, will even make their app more popular - without these additional features I would probably go for BetterKeyboard. I'm interested in what people use my tool for, I google sometimes for it - that is how I found this thread. Also people ask about usage help, they report issues, request features, etc., so I have much feedback. I must say I have never found single one person using it for evil purposes. And by evil I mean: removing protection, stealing some code or resources, replacing original authors, reselling an app, etc. It was always about adding some lacking features, localizing, theming, etc. I ain't saying it was never used for evil, can't say it will never be. I'm saying that its main purpose isn't doing bad things. And this isn't just my assumption, it's observed fact. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
Bytecode is not possible to be secured, but there's always NDK and I really doubt someone could decompile successfully a -O2 compiled library. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
Good USE !!! that was funny... lol On May 14, 2:46 am, Ryszard Wiśniewski brut.a...@gmail.com wrote: On May 13, 9:34 pm, Maps.Huge.Info (Maps API Guru) cor...@gmail.com wrote: I think a better analogy would be an anti-aircraft missile, you don't go deer hunting with a Stinger or SA-8, you use it to shoot down aircraft. Since this tool really has only one real purpose, to allow people to pirate code, I think the gun analogy is a bit off. If your assumption is: piracy = evil, without any exception, then yes, you are right. But I don't agree with this. Piracy is a general term describing all activities that are against the license. I'm quite sure, that when you are backuping all of your installed apps to save you some data transfer, you are pirating some of them. But you don't feel like a bad guy then, do you? Modded HTC_IME is 100 times better than original - second one definitely lacks some features. Installing modded version is pirating, but is it really so evil? It won't take money away of HTC, will even make their app more popular - without these additional features I would probably go for BetterKeyboard. I'm interested in what people use my tool for, I google sometimes for it - that is how I found this thread. Also people ask about usage help, they report issues, request features, etc., so I have much feedback. I must say I have never found single one person using it for evil purposes. And by evil I mean: removing protection, stealing some code or resources, replacing original authors, reselling an app, etc. It was always about adding some lacking features, localizing, theming, etc. I ain't saying it was never used for evil, can't say it will never be. I'm saying that its main purpose isn't doing bad things. And this isn't just my assumption, it's observed fact. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
On 11 Mai, 18:00, Nathan critter...@crittermap.com wrote: Baloney. Reengineering itself is an illegal use. There is no GOOD purpose it should be used for. It is a piracy tool pure and simple. It depends on your jurisdiction. German common law actually allowsit in some cases ( to be honest it allows a lot of funny things, for example prostitution ) -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
Did you guys notice anything about ProGuard actually supporting encryption? Nope. It just says obfuscator. Hence why I put 'obfuscator', had I meant encryption I would have written that. Its pretty standard practice in the 'real world' to obfuscate byte code. Yes, it isn't encrypted, I have tried to decompile obfuscated byte code generated by other products before using JAD (as a test since my company was using it), and was unable to retrieve anything meaningful from it. That however was a commercial grade obfuscator, it isn't free. I still intend to run this test myself, have any of you actually tried it yet? On May 11, 9:01 pm, Greg Donald gdon...@gmail.com wrote: On Tue, May 11, 2010 at 1:03 PM, André pha...@hotmail.com wrote: That looks good. But I have no idea how to use it? I've been trying to find a tutorial for it. Have you found that? http://proguard.sourceforge.net/FAQ.html#obfuscation That means it will simply take yourNiceBigVariable names and turn them into single letter variable names. That's only secure if you work in Redmond. ProGuard will also remove debugging info, w00h00! But then who compiles production releases in debug mode? No one. Realize Java is bytecode compiled. You will never be able to fully protect it by it's very nature. The Dalvik virtual machine would have to be capable of decrypting the bytecode before any useful protection could be available. http://en.wikipedia.org/wiki/Dalvik_virtual_machine I can't find the word encrypt anywhere on the page. Google did make some sort of attempt at .apk encryption, but we actually like our apps to appear in the Marketplace, so we don't dare use it. Java also fully supports reflection. That makes writing tools to take it apart trivial. The day Dalvik encryption support is announced will be the same day work will begin to break it. Count on it. Develop your business model with that fact in mind. The only winning move is to not play. ~Joshua Or in my case, I just don't care. There will always be reversers and pirates. -- Greg Donald destiney.com | gregdonald.com -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: APKTool - decoding our apps
On Tue, May 11, 2010 at 12:00 PM, Nathan critter...@crittermap.com wrote: It is a tool for reengineering 3rd party, closed, binary Android apps. It is NOT intended for piracy and other non-legal uses. It could be used for localizing, adding some features or support for custom platforms and other GOOD purposes. Baloney. Reengineering itself is an illegal use. Actually, reverse engineering itself is not illegal in the United States and in many other countries. There is no GOOD purpose it should be used for. It is a piracy tool pure and simple. Interoperating with existing code, learning coding techniques (and using non-patented ones), security auditing, etc. (Don't dismiss security auditing - google up android malicious app droid09 for an example...) Now, it may well be that the authors really did intend the tool to be for piracy and not any of the legitimate uses it may be put to. But you can't conclude that simply from the fact that they produced the tool itself. Of course, application developers are free to obfuscate or otherwise make reverse engineering as difficult as they like, too. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
Hi, I'm a maker of this apktool toolchain. I want to know, what, do you think, someone could steal from your apps? Some great algorithms? From phone app? Layouts? Localization strings? Also we shouldn't forget about the fact, that anyone could just download any app from Market and place it on his website. Android is open from the assumption, of course that doesn't mean everybody should give others their sources, but that does mean security isn't main concern. You all knew of that, when you decided to code for Android. bytecode Also, I think, you misunderstand, what apktool does exactly. You are talking about code stealing, but it don't help much with the code. It uses different tool, smali/baksmali, which is dex assembler/ disassembler. And speaking of why Google didn't removed apktool site - smali is on code.google.com too and it is there more than a year. You should know that your apps aren't encrypted in any way. Both resources decoding (apktool) and code disassembling (baksmali) aren't processes of cracking security, but converting data from one format to another. It's something like unpacking zipped text file: was binary, is human readable now, but that definitely isn't cracking something, right? Even without tools like apktool or smali it was possible to modify apks, because all data was always there, just in different, binary format. Apktool is just 2 months old, but there were UI themes from the beginning of Android's live - people modified files directly in binary format. Also, as someone said, sources are in bytecode, they could be even invoked from someone else code without any problem. That is how Java works. Ahh and sounds, images, etc. were always crackable using piracy tools like e.g. WinRAR. You should rethink, whether there is really any sense in stealing something from your app. Ideas, design and appearance could be stolen by just looking at it. Algorithms? It is really hard to analyze simple loop in smali code - it's asm, you know. If you really want to not let other people even look at your work, you should consider moving to iPhones. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
On May 11, 11:00 am, Nathan critter...@crittermap.com wrote: I don't know, but I find the summary of it interesting. . SNIP Baloney. Reengineering itself is an illegal use. There is no GOOD purpose it should be used for. It is a piracy tool pure and simple. Nathan I disagree. Reverse engineering could let me implement a fix for a bug in an application I bought legally when the original authors can't or won't support it in the ways I need. Reverse engineering can let me read their code to see if a security hole exists, like them sharing my credit card information in unapproved ways or calling a 1-900 number in the middle of the night. Reverse engineering can let programmers read and learn from examples of production quality code. There are plenty of moral (as distinct from legal) uses for reverse engineering. I believe reverse engineering is still legal in the US under the DMCA, but I also believe distributing tools whose primary purpose is to enable removal of data obfuscation is illegal. I don't know how that law would apply to this example in the US, and of course local law would apply for other parts of the world. Bobby -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
I don't know, but I find the summary of it interesting. . It is a tool for reengineering 3rd party, closed, binary Android apps. It is NOT intended for piracy and other non-legal uses. It could be used for localizing, adding some features or support for custom platforms and other GOOD purposes. Baloney. Reengineering itself is an illegal use. There is no GOOD purpose it should be used for. It is a piracy tool pure and simple. Nathan On May 11, 8:28 am, André pha...@hotmail.com wrote: Hello, I stumbled across this program on the web: http://code.google.com/p/android-apktool/ And realized that it works pretty well. I can decode the programs I've made from the apk files. I can't really say I like that. Does anyone know of a way create the apk file without having programs like this being able to decode and open them? -André -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
Interesting that it's hosted on google as well! On May 11, 6:00 pm, Nathan critter...@crittermap.com wrote: I don't know, but I find the summary of it interesting. . It is a tool for reengineering 3rd party, closed, binary Android apps. It is NOT intended for piracy and other non-legal uses. It could be used for localizing, adding some features or support for custom platforms and other GOOD purposes. Baloney. Reengineering itself is an illegal use. There is no GOOD purpose it should be used for. It is a piracy tool pure and simple. Nathan On May 11, 8:28 am, André pha...@hotmail.com wrote: Hello, I stumbled across this program on the web: http://code.google.com/p/android-apktool/ And realized that it works pretty well. I can decode the programs I've made from the apk files. I can't really say I like that. Does anyone know of a way create the apk file without having programs like this being able to decode and open them? -André -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
Has anyone tried using an obfuscator on their app before apk'ing it? Something like http://proguard.sourceforge.net/ I'm going to give it a try and then try to reverse engineer it to see if it helps. Don't like the idea of people reverse engineering our code either... On May 11, 12:00 pm, Nathan critter...@crittermap.com wrote: I don't know, but I find the summary of it interesting. . It is a tool for reengineering 3rd party, closed, binary Android apps. It is NOT intended for piracy and other non-legal uses. It could be used for localizing, adding some features or support for custom platforms and other GOOD purposes. Baloney. Reengineering itself is an illegal use. There is no GOOD purpose it should be used for. It is a piracy tool pure and simple. Nathan On May 11, 8:28 am, André pha...@hotmail.com wrote: Hello, I stumbled across this program on the web: http://code.google.com/p/android-apktool/ And realized that it works pretty well. I can decode the programs I've made from the apk files. I can't really say I like that. Does anyone know of a way create the apk file without having programs like this being able to decode and open them? -André -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
That looks good. But I have no idea how to use it? I've been trying to find a tutorial for it. Have you found that? -André On May 11, 6:09 pm, pacoder sove...@gmail.com wrote: Has anyone tried using an obfuscator on their app before apk'ing it? Something likehttp://proguard.sourceforge.net/ I'm going to give it a try and then try to reverse engineer it to see if it helps. Don't like the idea of people reverse engineering our code either... On May 11, 12:00 pm, Nathan critter...@crittermap.com wrote: I don't know, but I find the summary of it interesting. . It is a tool for reengineering 3rd party, closed, binary Android apps. It is NOT intended for piracy and other non-legal uses. It could be used for localizing, adding some features or support for custom platforms and other GOOD purposes. Baloney. Reengineering itself is an illegal use. There is no GOOD purpose it should be used for. It is a piracy tool pure and simple. Nathan On May 11, 8:28 am, André pha...@hotmail.com wrote: Hello, I stumbled across this program on the web: http://code.google.com/p/android-apktool/ And realized that it works pretty well. I can decode the programs I've made from the apk files. I can't really say I like that. Does anyone know of a way create the apk file without having programs like this being able to decode and open them? -André -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
Proguard make it a bit harder to RE, but it'll still possible (and the APKtool gives you possibility to debug which is a really powerful RE tool), moreover you cannot use all of proguard optimization because you will not be able to convert classes to dex, in fact you can only use shrink and agressive overloading. Bottom line is: proguard lets you shrink you code about 30% but it'll not make your application hack / RE proof. -- Bart Janusz (Beepstreet) On May 11, 6:09 pm, pacoder sove...@gmail.com wrote: Has anyone tried using an obfuscator on their app before apk'ing it? Something likehttp://proguard.sourceforge.net/ I'm going to give it a try and then try to reverse engineer it to see if it helps. Don't like the idea of people reverse engineering our code either... On May 11, 12:00 pm, Nathan critter...@crittermap.com wrote: I don't know, but I find the summary of it interesting. . It is a tool for reengineering 3rd party, closed, binary Android apps. It is NOT intended for piracy and other non-legal uses. It could be used for localizing, adding some features or support for custom platforms and other GOOD purposes. Baloney. Reengineering itself is an illegal use. There is no GOOD purpose it should be used for. It is a piracy tool pure and simple. Nathan On May 11, 8:28 am, André pha...@hotmail.com wrote: Hello, I stumbled across this program on the web: http://code.google.com/p/android-apktool/ And realized that it works pretty well. I can decode the programs I've made from the apk files. I can't really say I like that. Does anyone know of a way create the apk file without having programs like this being able to decode and open them? -André -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: APKTool - decoding our apps
On Tue, May 11, 2010 at 1:03 PM, André pha...@hotmail.com wrote: That looks good. But I have no idea how to use it? I've been trying to find a tutorial for it. Have you found that? Did you guys notice anything about ProGuard actually supporting encryption? Nope. It just says obfuscator. http://proguard.sourceforge.net/FAQ.html#obfuscation That means it will simply take yourNiceBigVariable names and turn them into single letter variable names. That's only secure if you work in Redmond. ProGuard will also remove debugging info, w00h00! But then who compiles production releases in debug mode? No one. Realize Java is bytecode compiled. You will never be able to fully protect it by it's very nature. The Dalvik virtual machine would have to be capable of decrypting the bytecode before any useful protection could be available. http://en.wikipedia.org/wiki/Dalvik_virtual_machine I can't find the word encrypt anywhere on the page. Google did make some sort of attempt at .apk encryption, but we actually like our apps to appear in the Marketplace, so we don't dare use it. Java also fully supports reflection. That makes writing tools to take it apart trivial. The day Dalvik encryption support is announced will be the same day work will begin to break it. Count on it. Develop your business model with that fact in mind. The only winning move is to not play. ~Joshua Or in my case, I just don't care. There will always be reversers and pirates. -- Greg Donald destiney.com | gregdonald.com -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: APKTool - decoding our apps
or... the surest way to prevent anyone from copying your code is to write such a crappy app that nobody will want it. In the JavaScript world, where I usually live, code piracy is a way of life. Just accept it as a compliment and move on. -John Coryat -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
