RIIS, an IT services firm specializing in mobile development, today announced a new mobile security tool that can prevent Android decompilation by hackers on mobile devices.
The tool, HoseDex2Jar, is the first of its kind and prevents would-be hackers from using the Dex2Jar tool as a means to decompile Android apps and obtain access to sensitive data.
Godfrey Nolan, RIIS President, published a book on Android security earlier this year. Decompiling Android shows why Android apps can be decompiled to recover their source code, what it means to Android developers and how to protect code from prying eyes. An important topic, as the Android marketplace grows and developers are unwittingly releasing apps with back doors allowing people to potentially obtain credit card information and database logins to back-end systems. Android apps are client-side applications which presents a greater security threat because the actual code for the app is downloaded onto the user’s mobile device.
Android runs applications in .dex format. Dex2Jar is the only tool available to convert Android APK’s back into Java .jar files. This allows someone to decompile the .jar file using JD-GUI or JAD into readable source code. Once done, all proprietary source code and other sensitive information stored on backend databases are vulnerable.
RIIS knew if they could figure out a way to stop Dex2Jar from functioning, they could protect Android apps from being decompiled at all, thus protecting the apps from malicious attackers. RIIS started investigating to see if Dex2Jar had any limitations they could expose. HoseDex2Jar was born.
“Developers can take steps such as using tools like ProGuard to obfuscate their code, but up until now, it has been impossible to prevent someone from decompiling an app,” said Nolan.
“We realized if there was a way to stop Dex2Jar, we would stop all Android Decompilation. HoseDex2Jar does just that. It stops Dex2Jar by inserting harmless code in an Android APK that confuses and disables Dex2Jar and protects the code from decompilation. We’re now able to go a step beyond obfuscation and prevent hackers from decompiling an APK into readable java code. This is huge for companies with Android apps available on Google Play.”
To try HoseDex2Jar, visit http://www.decompilingandroid.com