Julio Merlo
Posted on March 8, 2024
Android has the largest global community and gives users more flexibility to install not certificate applications from the official store.
That means you have more vulnerability in your security, to improve your application security. I recommend adding some layers to enhance the safety of the application you will make.
Content
- Prevent Screenshot | ScreenRecord
- Inappropriate Usage Of The Platform
- Exception Domains
- Reverse Engineer
Prevent Screenshot | ScreenRecord
For screenshots or screen record disable, you need to import the WindowManager and add this line to the MainActivity file.
import android.view.WindowManager;
...
getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE);
Inappropriate Usage Of The Platform
If your app won't be doing more processes or need much RAM, you need to delete these properties from your AndroidManifest.xml you should use it only when you know exactly where all your memory is being allocated and why it must be retained.
<application
...
"android:largeHeap="true"
...
You can read more about this on the official documentation
Exception Domains
Allowing http for some domains but not other domains you must provide Network Security Config File. For these go to the folder where other xml file are ../res/xml and create a file network_security_config.xml
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<!-- Development Domains -->
<domain includeSubdomains="true">10.0.1.1</domain>
<domain includeSubdomains="true">localhost</domain>
...
</domain-config>
<domain-config cleartextTrafficPermitted="false">
<!-- Api Services Domains -->
<domain includeSubdomains="true">testdomain.com</domain>
...
</domain-config>
</network-security-config>
and then add these property in the AndroidManifest.xml to reference the network config just create above.
...
<application
...
android:networkSecurityConfig="@xml/network_security_config"
....
For more information and configuration documentation
Reverse Engineer
In this case, the Reverse Engineer is used to verify if your code is optimized and compressed, but you can use it for whatever purpose you need, check malicious code, analyze apps or just for fun. If you don't see a compressed code or minied thats mean you need to enable the property in the ..app/build.gradle. Remember that when you enable this approach, you need to add the rules that author of third packages you use, to the proguard-rules.pro and check those rules don't break your app.
Reverse an .apk steps:
- Rename your .apk file and add .zip at the end.
- Extract the content. When you extract, you will have all the code, classes and many other things.
- Download the tool dex2jar and place it in the same folder you extract the apk link
-
Open a Terminal where your files are located and then run the following command on your terminal
d2j-dex2jar.bat classes.dex
Download the tool Java Decompiler link
Last but not least, open the previous download program Java Decompiler and open the file located in the extracted apk folder classes-dex2jar.jar. If you see your code minified 🥳 you got it!. The obfuscation process was successful 🔥.
Posted on March 8, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.