DEV Community

Cover image for Mobile app security: How to avoid reverse engineering of an Android application
Diana Maltseva
Diana Maltseva

Posted on


Mobile app security: How to avoid reverse engineering of an Android application

Mobile application security is the issue of the highest priority for all engineers and an essential part of product quality. However, despite a fast-growing mobile market, the level of piracy is very high, especially in Android ecosystem.

Unfortunately, now the app is easy to crack, disable advertising from it, and even untie from verification services. Making strong efforts to create an app and hoping to get success and profit, in the end, you can not only fail but also “lose it.

Also, some may wish to crack the app (device, program, software) to find out how it works in order to steal your ideas to make something better or even just reproduce it.

This practice is called reverse engineering and used in many spheres including manufacturing and even military. In this post, we’ll speak about the ways to protect your Android app against reverse engineering.

Applying to Android, reverse engineering process represents the ways of extracting a source code and resources from APK file (a zip archive). APK of a target application can be got from a phone by using ADB or just by downloading it from Google Play Market.


For decoding resources, Apktool can be used. This tool can decode resources to original form and rebuild APK after modification. It can also transform dex files to Smali source. Smali is more of an assembly based language and it can’t be used for complete reconstruction of Java code.

For decompiling dex files into Java code, you can use a dex2jar tool. It converts dex (Android VM bytecode) to jar (Java bytecode). Then, to decompile jar to Java source code you can use one of Java decompilers like jd-gui or JAD.

However, this way has one disadvantage – transforming dex to jar loses important metadata that the decompiler could use. There are two decompilers from dex to Java source exists – Androguard DAD and JEB.

Sharing experience

To protect an Android app from reverse engineering we use ProGuard. ProGuard is a Java class file shrinker, optimizer, obfuscator, and preverifier. It works as follows:

  • The shrinking step detects and removes unused classes, fields, methods, and attributes.

  • The optimization step analyzes and optimizes the bytecode of the methods.

  • The obfuscation step renames the remaining classes, fields, and methods using short meaningless names.

Also, learn more about other effective ways and practices to avoid reverse engineering and ensure app security.

Top comments (0)

An Animated Guide to Node.js Event Loop

>> Check out this classic DEV post <<