Non-obfuscated APK Vulnerability in Android
Description
From the Intellectual Property (IP) perspective, Android applications are similar to web applications: despite everything, the source code (more specifically, the bytecode) is executed in an environment partially or fully in control of the user. This means that they, the user, can ultimately inspect, decompile, and analyze the bytecode as they please.
Impact
A non-minified application could disclose important details about the algorithm or the general code flow of the application. An attacker could leverage such information to gain precious insight into not only the app itself but also the communication that is possibly exchanged with vendor application servers.
Prevention
Developers concerned about the IP of their source code may consider obfuscating or minifying the APK before releasing it to the public. In a typical Android Studio project, this can be enabled by setting the minifyEnabled
field to true
in the relevant build.gradle
file:
android {
// ...
buildTypes {
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
// ...
}
It is important to understand, though, that a perfect obfuscation is impossible. Developers should think about minification more as a deterrent than a solution and never store sensitive material (e.g., encryption keys, passwords, etc.) in the source code.
References
[Shrink, obfuscate, and optimize your app | Android Developers](https://developer.android.com/studio/build/shrink-code) |