We are developing an Android application. We know that using tools like APKTool, dex2jar can get the source code of an APK.
1) Can they get complete source code so that they can rebuild the same APK, with very minimal effort?
2) After getting the source code, is there a possibility that others can upload the rebuilt APK under their own name?
3) If possible, how to prevent this?
Our clients are keen about this.
It is not possible to prevent your application from being reverse engineered. However, you can make it harder using tools loke proguard.
Yes, it is possible that others can upload the reverse engineered APK. Nevertheless, they need to change the package name.
It cannot be prevented.
Have a good look here for a more detailed explaination: How to secure my app against piracy
1) They can, but NOT WITH A MINIMAL effort.
2) Sure, they can.
3) You can't. You can just make their work a bit harder, trying to obfuscate your code as much as possible and crypting your dbs (which is the most important thing you and your users should worry about).
Not sure what you mean by APK? You can certainly extract and decompile an apk, repackage and resign. It would be the same but would have a different signature and so couldn't be installed over the an existing installation. I'd argue this can be done with minimal effort using Apktool there 100's of articles on how to do it. But even easier with APK2Java which turns converting apk to java into a point and click experience.
Yes, to other appstores with no code changes. If the attacker changes the package name which is simple there are automated scripts that can so this it could be uploaded to Playstore.
100% preventable?, no. But you can make it allot harder and raise the difficulty and effort level required. As others have mentioned Proguard is a good start, I recommend Dexguard it's not free but really adds to your apk hardening. You could also add tamper checks to break functionality or alert user.
I've talked about Android app hardening at Droidcon UK here's the slides they may help. The idea is to add several levels of security to raise the time/effort it takes so most attackers will just move on to another app.
