1. Inside DVM
Basics
Nick Bova
@mykola_bova
Nov 14 2013

2. Why Java is vulnerable?
1. For portability, Java code is partially compiled
and then interpreted by the JVM.
2. Java’s compiled classes contain a lot of
symbolic information for the JVM.
3. The JVM is a simple stack machine.
4. Standard applications have no real protection
against decompilation.

3. Why Android apps are vulnerable?
1. There are multiple easy ways to gain access
to Android APKs.
2. It’s simple to translate an APK to a Java jar
file for subsequent decompilation.
3. One-click decompilation is possible, using
tools such as apktool.
4. APKs are shared on hacker forums.

4. Legal Issues to Consider When
Decompiling
Цель оправдывает средства?

5. Legal Issues to Consider When
Decompiling
1. Don’t decompile an APK, recompile it, and then
pass it off as your own.
2. Don’t even think of trying to sell a recompiled
APK to any third parties.
3. Try not to decompile an APK or application that
comes with a license agreement that expressly
forbids decompiling or reverse-engineering the
code.
4. Don’t decompile an APK to remove any
protection mechanisms and then recompile it
for your own personal use..

6. Protecting Yourself (Protection
schemes)
Protection schemes in your code: Spreading
protection schemes throughout your code (such
as checking whether the phone is rooted) is
useless because the schemes can be
commented out of the decompiled code.

7. Protecting Yourself (Obfuscation)
Obfuscation: Obfuscation replaces the method
names and variable names in a class file with
weird and wonderful names. This can be an
excellent deterrent, but the source code is often
still visible, depending on your choice of
obfuscator.

8. Protecting Yourself (Server-side code)
Server-side code: The safest protection for APKs
is to hide all the interesting code on the web
server and only use the APK as a thin front-end
GUI. This has the downside that you may still
need to hide an API key somewhere to gain
access to the web server

9. Protecting Yourself (Native code)
Native code: The Android Native Development
Kit (NDK) allows you to hide password
information in C++ files that can be
disassembled but not decompiled and that still
run on top of the DVM. Done correctly, this
technique can add a significant layer of
protection.

10. Protecting Yourself (Encryption)
Encryption can also be used in conjunction with
the NDK to provide an additional layer of
protection from disassembly, or as a way of
passing public and private key information to
any backend web server.

11. Protecting Yourself
What else?