However, there are steps you can
take to protect your source code, or
at least what it does if not
everything.
1. Use tools like ProGuard. These will
obfuscate your code, and make it
harder to read when decompiled, if
not impossible.
2. Move the most critical parts of the
service out of the app, and into a
webservice, hidden behind a server
side language like PHP. For
example, if you have an algorithm
that's taken you a million dollars to
write. You obviously don't want
people stealing it out of your app.
Move the algorithm and have it
process the data on a remote
server, and use the app to simply
provide it with the data. Or use the
NDK to write them natively into .so
files, which are much less likely to
be decompiled than apks. I don't
think a decompiler for .so files even
exists as of now (and even if it did,
it wouldn't be as good as the Java
decompilers). Additionally, as
@nikolay mentioned in the
comments, you should use SSL
when interacting between the
server and device.
3. When storing values on the device,
don't store them in a raw format.
For example, if you have a game,
and you're storing the amount of in
game currency the user has in
SharedPreferences. Let's assume
it's 10000 coins. Instead of
saving 10000 directly, save it
using an algorithm like
((currency*2)+1)/13
So instead of 10000 , you
save 1538.53846154
into the SharedPreferences.
However, the above example isn't
perfect, and you'll have to work to
come up with an equation that
won't lose currency to rounding
errors etc.
4. You can do a similar thing for
server side tasks. Now for an
example, let's actually take your
payment processing app. Let's say
the user has to make a payment
of
$200 . Instead of sending a
raw $200 value to the server,
send a series of smaller, predefined,
values that add up to
$200 .
For example, have a file or table on
your server that equates words
with values. So let's say that
Charlie corresponds to
$47 , and John to $3 .
So instead of sending $200 ,
you can send Charlie four
times and John four times. On
the server, interpret what they
mean and add it up. This prevents a
hacker from sending arbitrary
values to your server, as they do
not know what word corresponds
to what value. As an added
measure of security, you could
have an equation similar to point 3
for this as well, and change the
keywords every
n number of
days.
5. Finally, you can insert random
useless source code into your app,
so that the hacker is looking for a
needle in a haystack. Insert random
classes containing snippets from the
internet, or just functions for
calculating random things like the
Fibonacci sequence. Make sure
these classes compile, but aren't
used by the actual functionality of
the app. Add enough of these false
classes, and the hacker would have
a tough time finding your real code.
All in all, there's no way to protect
your app 100%. You can make it
harder, but not impossible. Your
web server could be compromised,
the hacker could figure out your
keywords by monitoring multiple
transaction amounts and the
keywords you send for it, the
hacker could painstakingly go
through the source and figure out
which code is a dummy.
You can only fight back, but never
win.
