Android App prevent from being modified

Question

After Googling I have found that my free app with ads is published in some sites with title "app_name_ad_free_mod_hacked", after trying to install this app in my personal phone it is working correctly but ads aren't showing. Even, I noticed that it doesn't make ad request.

Is there any solution to prevent the app from being modified?

P.S: I'm using ProGuard and I have decompiled the modified APK, and I don't notice any difference from original app.

Ads are initialized in my code as below :

At onCreate() of MainActivity :

MobileAds.initialize(getApplicationContext(), "admob_app_id");
mAdView = findViewById(R.id.adView_fragment_ads);
layout_ads = findViewById(R.id.layout_fragments_ads);
start_ad();

and the method :

private void start_ad() {
        try {
            if (data_ne_db[0].equals("jo")) {
                AdRequest adRequest = new AdRequest.Builder()
                        .addTestDevice(AdRequest.DEVICE_ID_EMULATOR)
                        .addTestDevice(getResources().getString(R.string.ads_test_device))
                        .addTestDevice(getResources().getString(R.string.ads_test_device_facebook))
                        .build();
                //mAdView.setAdUnitId(getResources().getString(R.string.ads_kryesorja_poshte));
                //mAdView.setAdSize(AdSize.LARGE_BANNER);
                mAdView1.loadAd(adRequest);
                mAdView1.setAdListener(new AdListener() {
                    @Override
                    public void onAdLoaded() {
                        mAdView1.resume();
                        mAdView1.setVisibility(View.VISIBLE);
                        u_inicializua = true;
                    }

                    @Override
                    public void onAdClosed() {
                        Log.e("ADDD CLOSEEEED", "Ads is closed by user)");
                    }

                    @Override
                    public void onAdFailedToLoad(int errorCode) {
                        mAdView1.pause();
                        Log.e("AD FRAG 2", "Ads failed to load" + " error : " + errorCode);
                        u_inicializua = false;
                    }
                    @Override
                    public void onAdLeftApplication() {
                    }

                    @Override
                    public void onAdOpened() {
                    }
                });
            }
        } catch (Exception ignored) {}
    }

Maybe someone just injects comment to the method call or in the database if check, but how to prevent that?

Answer 1

Nothing stops the attacker from decompiling your app, removing any security check code, hardcoding any values they want (certificates, flags, etc), and recompiling it again and signing it with whatever key they want.

That's not to say that you shouldn't do anything about it, you absolutely should, make use of Proguard/Dexguard (the latter if you can afford it) to obfuscate your code, do implement and code all sorts of security checks that prevent an attacker from using the app on rooted devices, if developer mode us enabled, if the app is being hooked (Frida, Xposed), whether it's running on an emulator, or a virtual environment, whether the certificate is tampered or the file is tampered, and wether the app is compiled and built in debug mode. Dexguard provides with functions that provide you most of these with state of the art level of protection and it's updated very frequently (they update it like weekly). Another very good option is to programmatically send your apk’s certificate to your backend server so that the server checks that it’s communicating with an untampered client. You could also use Google’s Play Integrity / Huawei’s Safety Detect.

Note on the developer mode check: some banking apps do require you to disable developer mode, but if your userbase are devs/enthusiasts who have it enabled, and your app isn't financials-based you might just end up just causing them to uninstall your app and use something else.

Ultimately, there's no answer for complete and full security on the client side of any platform, be it Android, iOS, Web, Desktop or otherwise. Nothing you can really do about it. All you can do is make the attacker's life harder and more cumbersome enough that they don't bother to reverse engineer the whole thing. People have been cracking proprietary software in billion-dollar industries since the dawn of time, from operating systems to video games.

Case in point, the YouTube app and the YouTube Vanced and uYouPlus clone apps on Android and iOS respectively, not even a tech giant like YouTube/Google can do anything about this.

Never trust the client. This goes for literally every form of software you can think of.

Answer 2

Making hacking impossible: I don't know if there is an answer.

What you can do is: There are some paid tools like dexguard. You can use them. A paid alternative will likely work better than a free one.

Though, an expert one might get into your code. But, cracking dexguard isn't a simple game. Also, it does Runtime Self Protection, Code optimization, etc

---

Some of my unused ideas::-P | Client Side

• Check the location from where the application was installed. Use PackageManager
• Verify Signature of the application installed / Place Signature in the server | Check if matches the one with which the app is signed
• Make code which even you can't read after a day of finishing it. Badly name classes, wrongly name them. Like: Class ABACAS processes task ABACAS and class SACABA does task SACABA - give them reversed name. Also, method delegate returns some value called delegate and method stack returns stack. Reversely name them.

That means: Class ABACAS will do SACABA and SACABA will do ABACAS & method delegate will return stack and method stack will return delegate

---

If your app is server-dependent (I mean your app is just is a client, the server does the task, has API and does send-receive). Just ask your app for the signature from the server. If the signatures match does next, else return.