I'm currently developing an application for a company which includes livescoring. The XML-files I access (from the net like: "http://company.com/files/xml/livescoring.xml") are not intended to be public and should only known to me.
I was wondering if it is possible for anyone to decode the .apk file and read my original .java files (which include the link to the XML files).
So, I renamed the .apk file to .zip and could access the "classes.dex", which seemed to include the .java files (or classes). Googling led me to a tool named "AvaBoxV2" which decoded this "classes.dex" file. Now I have a folder including an "out" folder where files named .smali exist. I opend one of these with an editor and finally there is the link to the xml file. Not good. :(
Is there a way to encrypt my app or the classes.dex file? I don't want to tell that company, that anyone can access the original xml-files. Maybe signing the app probably helps?
Also, do you know a really noob-friendly tutorial to prepare apps (signing, versioning,...) for Google Market?
Thanks in advance!
The .java source code is not included in the APK.
It is possible to disassemble the Dalvik bytecode into bytecode mnemonics using a tool like baksmali, but there's no way a user can recover the original .java source.
Furthermore, you can use a tool like proguard (included in the Android SDK) to obfuscate your byte code, making it hard to interpret the behavior of the disassembled bytecode.
You can make small tricks too, like storing the link string in some sort of obfuscated form, and then de-obfuscating it at run-time in your app (a simple example would be to use base 64 encoding, but someone could probably reverse that quickly if they wanted to).
That said, it's pretty trivial for someone to run tcpdump and sniff the network traffic between your device and the server, and get the URL that way, so there's no way to completely prevent anyone from getting this value.
Yeah, its impossible to fully prevent something like this. Its the same on a desktop application, or any other application.
As mentioned, obfuscation will help, but people who are persistent can still get past it. Especially for something like a url like that.
One solution of making it much more tricky for hackers is to use PHP on your webserver and some sort of token system to determine if the request is coming from your app or not... That would get a bit tricky though, so I don't really suggest it.
Related
Im asking for a bit much here but maybe some can point me or help me understand how .kdz and .dz file work, meaning I want to understated their structure and possible build a java script to compress (as a self project), also how can I read or utilize the dll file in the kdz.
I have a python script that can decompress those file, can any one help me understand it?
I am writing a game in java, and i would like to save my game. I am going to save it as a set of XML documents in a zip file. What i would like to know is if their is a way i can do this transparently so that the user cannot edit these files, or find them. I have thought about just making the files hidden, but that seems like a dirty and ugly way to do this. The thing i like least about the hidden files is that they don't seem compatible between systems. If their was anyway to save the files to the jar and read them from it that would also be equally as acceptable. Also there doesn't seem like a good way in java to make a file hidden. Any help would be greatly appreciated.
What i would like to know is if their is a way i can do this transparently so that the user cannot edit these files, or find them.
Ultimately, no.
Anything that you do to store state on the local machine can ultimately be reverse engineered and that state can be retrieved by a privileged user.
But there are various things you could do to make it difficult for people to "cheat". For instance, you could encrypt the file, or generate a seeded hash to detect "tinkering".
Hiding files on Java 7 is simple:
Path path = FileSystems.getDefault().getPath("directory", "hidden.txt");
Boolean hidden = path.getAttribute("dos:hidden", LinkOption.NOFOLLOW_LINKS);
if (hidden != null && !hidden) {
path.setAttribute("dos:hidden", Boolean.TRUE, LinkOption.NOFOLLOW_LINKS);
}
(Copied from: http://javarevisited.blogspot.com/2012/01/how-to-hide-file-java-program-example.html)
On earlier versions of Java you needed to call an external Windows application or call a native library to do it. But note that:
"hidden" files are only hidden from users who don't bother to look
they work differently on different platforms; e.g. for Linux/Unix based systems, "hidden" just means that the filename starts with a ".".
I am making the setup of java swing application by using Inno Setup as an exe i am selecting the jar file of my project, I am also adding other necessary resources as folder.
When I am installing the setup on the client side. it is putting the jar and other
resources in program files folder but there client can extract the my java classes
and other resources from jar. I want that client can only use the resources by
application program but he could not extract the resources. How is it possible?
There is literally nothing you can do to entirely prevent someone from extracting the resources.
The best you can do is to make the process a bit difficult; e.g. by storing the resources in the JAR file in encrypted form. The problem is that your program would need to decrypt the resources in order to use them. Someone with sufficient skills and patience can reverse engineer your decryption code and capture the unencrypted resources.
By the way, this is not a Java-specific problem. Any application that you provide to a user as an executable can be reverse engineered ... assuming that the user has the wherewithal to run it in the first place.
The bottom line is that if you are not prepared for the possibility that someone might extract the resources, you should not distribute the executable.
Using Java I need to be able to create an empty CD image and also to inject/extract files into/from this image. Do you know any java libs for that? Is there a way to accomplish it without using JNI? (if not, then your JNI solution is appreciated). Thank you guys.
PS. This task is required for data transportation between emulated environment created by Qemu emulator.
In principle this is simple to implement, just write a file that is properly structured as CD-image. In practice thats probably a lot of work.
Simply googling for "java create iso image" reveal there is already an implementation to do just that: http://jiic.berlios.de/
How would you go about opening an .xml file that is within a .jar and edit it?
I know that you can do...
InputStream myStream = this.getClass().getResourceAsStream("xmlData.xml");
But how would you open the xmlData.xml, edit the file, and save it in the .jar? I would find this useful to know and don't want to edit a file outside of the .jar... and the application needs to stay running the entire time!
Thank you!
Jar files are just .zip files with different file suffix, and naming convention for contents. So use classes from under java.util.zip to read and/or write contents.
Modifying contents is not guaranteed (or even likely) to effect running system, as class loader may cache contents as it sees fit.
So it might be good to know more about what you are actually trying to achieve with this. Modifying contents of a jar on-the-fly sounds like complicated and error-prone approach...
If you app. has a GUI and you have access to a web site/server, JWS might be the answer. The JNLP API that is available to JWS apps. provides services such as the PersistenceService. Here is a small demo. of the PersistenceService.
The idea would be to check for the XML in the JWS persistence store. If it is not there, write it there, otherwise use the cached version. If it changes, write a new version to the store.
The demo. writes to the store at shut-down, and reads at start-up. But there is no reason it could not be called by a menu item, timer etc.