Table of contents
Some time ago, I studied some Android reverse engineering related tools and technologies and wrote some blogs. Of course, I haven't finished writing the reverse blog yet. I have written a few preliminary articles and will continue to write later. As mentioned before, if there is reverse, there are related protection measures, and reinforcement is one of them. Next, I will summarize the commonly used Android reinforcement platforms.
1. Bangbang reinforcement
1. Online reinforcement
1. This is the official website of Bangbang Hardening: Bangbang Security - Prevent decompilation | APP security hardening | Application hardening | Piracy monitoring . After registering a new user and logging in, click Reinforce Now, as shown in the figure below:
2. After opening the new page, select Add Application, as shown in the figure:
3. After selecting the application, the upload is completed and click Submit Application. As shown below:
4. After submission, wait for the reinforcement to be completed:
5. After receiving the email notification, the reinforcement has been completed. You can refresh the web page:
6. Click on the hardened apk, then click to download the hardening package. Because you cannot sign online, you need to sign it yourself after downloading. As follows:
7. If you don’t know how to sign, you can download the signature tool and sign according to the instructions in the picture above. At this point, the online reinforcement is completed. Online reinforcement is still relatively cumbersome. It is not recommended to use it online. It is more recommended to use Bangbang Assistant for reinforcement, which will be introduced below.
2. Download and use Bangbang Assistant
We enter the official website to download Bangbang Assistant. "Bangbang Assistant is a desktop-level (PC-side) APP reinforcement auxiliary tool provided by Bangbang Security for developers. It has the characteristics of convenient submission, fast response, and stable transmission. It also supports breakpoint resume, visual task management, and multiple Task processing, automatic integrated reinforcement, customized signature export form and other functions."
After the fool-proof installation is completed, we open Bangbang Assistant and log in with our account and password. If you are not registered, you can click to register a new user. If clicking Register New User does not open the registration page, go directly to the official website to register. As shown below:
注册完后,登录,主界面如图所示:
3. Use Bangbang Assistant to strengthen the apk
1. Click on file, add task, and add a single APK file (here, we take hardening one apk as an example. If you want to harden multiple apks, you can choose to add directories), as shown in the figure:
2. After selecting the apk to be reinforced, the following reinforcement work will be automatically performed: Uploading, Reinforcing, Downloading, Completed, as shown in the figure below:
3. One thing Bangbang reinforcement does better is that it will send an email reminder after the reinforcement task is completed. The apk file we used for testing is very small. If the file is large, we may ignore it after selecting it. Then when the reinforcement is completed, we will receive an email reminder and we can continue our work without staring at it all the time. As shown below:
4. After receiving the email reminder, check Bangbang Assistant. The task progress may still show that it is being reinforced or downloading. Refresh the status and the reinforcement is completed. As shown below:
5. After completing the above reinforcement work, we need to export the reinforced apk. Select the apk we want to export, click Export, and choose to export the signed apk, as shown in the figure below:
6. Select the signature file in the pop-up interface, enter the password, select the export location, and click to start exporting, as shown in the figure below:
7. When the export is successful, a pop-up window will appear. At this point, our reinforcement work is completed.
4. Use AndroidKiller to verify and reinforce
1. First, let’s decompile the original apk and take a look at the decompiled file. The specific steps will not be described in detail. Let’s take a look at the decompilation results. As you can see from the picture below, the smali source code of our package name and class name is clearly exposed. By modifying some smali source code, we can modify the logical functions and repackage them. As shown below:
2. We use AndroidKiller to decompile the reinforced apk. The decompilation was successful, but when we opened the smali file, we found that the package name and class name all changed to something we were unfamiliar with. Open the smali code and see no familiar code. As shown below:
Let's take a look at the AndroidManifest file, which contains the declaration of the app's entry activity. We find that it is MainActivity. We try to search for MainActivity and find that except for the Manifest file, no records of MainActivity are found. as the picture shows:
5. Compare apk before and after reinforcement
1. Compare the size of the apk installation package before and after reinforcement
The apk before reinforcement is 1.25M, and the apk after reinforcement is 1.82M, an increase of 0.57M. As shown below:
2. Test whether the reinforced app is usable. The following test results indicate that it can be used:
Finally, a brief summary. Bangbang reinforcement is very convenient to use. Use Bangbang Assistant to reinforce and export with one click. After hardening, the source code cannot be obtained after decompiling through AndroidKiller. The size of the hardened apk will increase. After hardening, the application can be installed and used normally.
2. Tencent Legu
Next, let’s introduce the use of Tencent Legu. (Note: These blogs related to hardening were originally written in April. Later, I felt that most of the hardening tools were used in the same way, so I deleted them. I thought about it recently and figured out that I sorted them out while I was doing them, so I might as well restore them. The four reinforcement articles are combined into one, which basically covers the mainstream domestic reinforcement tools).
1. Use Legu online
1. To use Legu, you need to log in to Tencent Cloud and enter the mobile application security section. The address is as follows: Mobile Application (APP) Security_Mobile Application Reinforcement_Mobile Application Security Solution-Tencent Cloud . You can choose QQ or WeChat to log in. After logging in, click to experience it now. as the picture shows:
2. Enter the interface as shown below:
3. Click to reinforce immediately and select free reinforcement. After uploading the application, click to confirm the reinforcement. You need to wait for a while. As shown below,:
4. After the reinforcement is completed, click to download the reinforcement package. Signature packaging is not supported online, therefore, a signature is required after downloading. I won’t say much about the specific signature. It is not recommended to use it online. It is recommended to use self-service reinforcement tools, which will be introduced below.
2. Reinforcement assistant reinforcement
1. Click Application Hardening, and then download the hardening tool, as shown in the figure below:
2. Open the reinforcement assistant. Please note that you need a key ID and a key key. Click How to Obtain the Cloud API Key and follow the instructions step by step, as shown below:
3. After logging in, select Add Application, as shown in the figure below:
4. Enter the following interface, select the signature file, enter the password, click Next, then click Reinforcement and wait for the reinforcement to be completed:
5. After the reinforcement is completed, click Details and Download. Note: After downloading the two files, the one with the shorter name is unsigned and cannot be installed. The one with the long name is signed and can be installed and used.
3. Use AndroidKiller to verify and reinforce
After using AndroidKiller to decompile, I found that the codes in smali have no obvious meaning. Searching for MainActivity can't find any information:
4. Comparison of apk before and after reinforcement
1.apk size comparison:
1.25M before reinforcement, 1.39M after reinforcement, and the volume increased by 0.14M, as shown in the figure below:
2. Whether the apk can be installed and used after being reinforced, as shown in the figure below, it can be used normally:
Finally, a summary. Tencent's Legu reinforcement is also very convenient to use. The use of Legu Assistant is very simple. The size of the apk after reinforcement is slightly larger than before, which is much better than Bangbang reinforcement. The code obtained by decompiling after hardening has been processed, and the apk can be installed and used normally after hardening.
3. Tistin cloud reinforcement
Next, let’s introduce another hardening tool: Testin cloud hardening. Different from the first two reinforcement platforms, Testin cloud reinforcement only supports online reinforcement of websites. Next, let’s take a look at Testin cloud reinforcement with an attitude of experience and learning.
1.Usage of Testin cloud reinforcement
1. First, enter the official website of Testin Cloud Reinforcement: Cloud Testing, Helping Industry Intelligence|Testing, Security, AI Data . After registering and logging in, click to experience it now:
2. After clicking to experience it now, enter the following interface, click to start reinforcement, and select the standard version of reinforcement in the pop-up window:
3.绑定邮箱后,进入如下界面:
4. Click Upload Application, select the apk to submit, and then complete the information. Select advanced settings and upload key-related information, as shown in the figure below:
5. Select the apk you submitted, click Next, check the email notification on the newly opened page, and click Next. As shown below:
6. Click View Tasks on the new page, as shown below:
7. After the reinforcement is completed, you will receive an email notification. After receiving the notification, refresh the page and click to download the reinforcement package.
2. Use AndroidKiller to verify and reinforce
3. Compare apk before and after reinforcement
1. Compare the apk volume before and after reinforcement:
It was 1.25M before reinforcement and 3.24M after reinforcement. The volume increased to nearly three times the original size. as the picture shows:
2. Confirm whether the apk can be installed and used after hardening:
Although we submitted the signature file earlier, the downloaded apk is not signed, so the installation fails and we need to sign it manually. Here I use the Bangbang-reinforced Bangbang Signer to sign, which can be installed and used after signing:
To sum up, Testin cloud hardening can realize app hardening, but only supports website hardening. There is no self-service tool, and you need to sign manually after hardening. The most important point is that the volume increases too much after reinforcement, which may be related to the reinforcement technology.
4.360 reinforced warranty
Finally, let’s introduce the use of 360 reinforced warranty. 360 Reinforcement Protection is also one of the most commonly used reinforcement tools on the market. Next, with an attitude of learning and experience, let’s take a look at the use of 360 reinforced warranty.
1.Use of 360 reinforced warranty
1. The official address of 360 Security Protection: 360 Tianyu - a one-stop service platform for enterprise mobile application security. After registering and logging in, click Free Use:
2. Enter the following page. 360 Reinforcement Protection also supports website reinforcement. Recalling the use of the previous reinforcement tools, website reinforcement is generally more cumbersome, so we directly download the tool reinforcement:
3. Open and log in to 360 Reinforcement Insurance. You need to register personal information for the first time:
4. After filling in and saving, enter the main interface and click Add Application:
5. Click Configure Now, configure the signature file, click Add after configuration, and then start reinforcement:
6. After the reinforcement is completed, as shown in the figure below, click OK. At this point, the reinforcement is completed:
2. Use AndroidKiller to verify and reinforce
Use AndroidKiller to decompile and see how it works. As shown in the figure below, after decompilation, it is found that the package name and class name have changed, and the relevant information of MainActivity cannot be searched.
3. Comparison before and after apk reinforcement
1.apk size comparison:
Before reinforcement, it was still 1.25M. After reinforcement, it was 2.04M, an increase of 0.79M, as shown in the following figure:
2. Whether the apk can be installed and used after being hardened. It has been verified that:
When using 360 Reinforcement Warranty, you need to register personal information. After configuring the signature file, the reinforcement completes the automatic signature. It is also relatively convenient to use. After the reinforcement, the apk size has slightly increased and can be installed and run. Finally, let me say that this blog is only based on the demo used in the original Android reverse blog for testing, and there is no guarantee that all apks can be successfully reinforced.
Five: Love encryption, reinforced encryption
1. First, register an account with iEncryption and log in.
2. After logging in, click on the picture below
After entering, click the signature tool again. I am using Windows, so I downloaded the Windows version. Once the download is complete, click and follow the automatic prompts to install it.
3. After installation, click Open
4. After opening, the operations inside
Finally my advice.
At present, I am using 360 reinforcement for reinforcement. After the reinforcement is completed, I use Ai Encryption for encryption.
This combination is not bad.
Nowadays, there is a charge for 360-degree hardened encryption. Previously, the hardening and encryption were free. Now you need to open a VIP to encrypt, but the hardening is still free as before.
Just like it, there is no reason to like it