Reputation: 2801
can I decompile a signed and installed android app?
I need to store some passwords inside an android app. I have no way around since this particular app cannot do authentication with a remote server.
I was looking at this decompiler:
http://www.javadecompilers.com/apk
yet, I have a simple question that I see different answers online. Is it possible for a hacker to root my client's device, get the application (I assume the apk is inside the device somewhere), run a decompiler and look up the passwords?
Note that this a production app and will be signed and installed through the google store. This is not just an unsigned apk floating around.
thanks.
Upvotes: 1
Views: 1414
Answers (1)
Reputation: 4691
Yes someone could take your passwords. Signing your apk won't make a difference.
You can secure your passwords by storing hashes in the APK. Then even if someone decompiles your code and takes the hashes there's nothing they can do with them since they still won't have the plain text to send to the app.
If all you need to do is control access to your signed app then that should be good enough. Though it doesn't prevent an attacker from decompiling your signed apk, modifying it, and recompiling it into an unsigned one. There's no reliable way to stop this, like there is no way to stop video game piracy. But techniques like obfuscation can help.
Upvotes: 3
Related Questions
- How to decompile an android app from the google play store
- Will decompiled version of an apk file be allowed by Firbase App Check?
- Is it possible to decompile an Android .apk file?
- Decompile a signed apk, modify and recompile usiing different keystore than that of the original signed apk?
- Putting unsigned app onto a phone
- Convert unsigned apk into signed apk
- Signed apk file
- Android - don't want to decompile my apk file
- Decompile apk using the keystore that signed it
- apk file that cannot be decompiled