To answer your question, it is simply impossible to make your APK fully secure. XML files are easily parsed without apktool.
I asked Ben Gruver/JesusFreke (the guy who developed smali) and he said it is impossible to fully secure an APK file, but you can make it harder for others to decompile. As long as Android can read the resources/code in your project.. then so can tools.
The exception you are seeing while attempting to decompile Gmail is because apktool needs to be updated for Lollipop (which is actively being working on).
The answer by @classc_abc is the best I found for making it harder to decompile an APK:
Basically, there are 5 methods to protect your APK being cracking/
reversing/ repackaging:
- Isolate Java Program
The easiest way is to make users unable to access to the Java Class
program. This is the most fundamental way, and it has a variety of
specific ways to achieve this. For example, developers can place the
key Java Class on the server, clients acquire services by access
relevant interfaces of the server rather than access to the Class file
directly. So there is no way for hackers to decompile Class files.
Currently, there are more and more standards and protocols services
provided through interfaces, such as HTTP, Web Service, RPC, etc. But
there are lots of applications are not suitable for this protection.
For example, Java programs in stand-alone programs are unable to
isolate.
- Encrypt Class Files
To prevent Class files from being decompiled directly, many developers
will encrypt some key Class files, such as registration number, serial
number management and other related classes. Before using these
encrypted classes, the program needs to decrypt these classes first,
then loading these classes into JVM. These classes can be decrypted by
hardware, or software.
Developers often loading cryptographic classes through a customed
ClassLoader class (Applet does not support customed ClassLoader
because of security). Customed ClassLoader will find cryptographic
classes first, then decrypt them. And finally loading the decrypted
classes to JVM. Customed ClassLoader is a very important class in this
protect method. Because it itself is not encrypted, it may be the
first target of a hacker. If the relevant decryption key and algorithm
have been overcome, then the encrypted classes can easily be
decrypted.
- Convert to Native Codes
Convert program to native codes is also an effective way to prevent
decompilation. Because native codes are often difficult to be
decompiled. Developers can convert the entire application to native
codes, or they can also convert only key modules. If just convert key
part of the modules, it will need JNI technology to call when Java
programs are using these modules. It abandoned Java's cross-platform
feature when using this mothod to protect Java programs. For different
platforms, we need to maintain different versions of the native codes,
which will increase software support and maintenance workload. But for
some key modules, sometimes this solution is often necessary. In order
to guarantee these native codes will not be modified or replaced,
developers often need to digitally sign these codes. Before using
these native codes, developers often need to authenticate these local
codes to ensure that these codes have not changed by hackers. If the
signature check is passed, then developers can call relevant JNI
methods.
- Code Obfuscation
Code obfuscation is to re-organize and process Class file, making the
treated codes accomplish the same function (semantics) with the
untreated codes. But the obfuscated codes are difficult to be
decompiled, i.e., the decompiled codes are very difficult to
understand, therefore decompile staffs are hard to understand the
really semantics. Theoretically, if hackers have enough time,
obfuscated codes may still be cracked. Even some people are developing
de-obfuscate tool. But from the actual situation, since the
diversified development of obfuscation, the mature of obfuscation
theory, obfuscated Java codes can well prevent decompilation.
- Online Encryption
APK Protect is an online encryption website for APK. It provides Java
codes and C++ codes protection to achieve anti-debugging and decompile
effects. The operation process is simple and easy.
I suggest you use this last method for it can save you more time. I've
tried. It is very simple to operate and it won't take long time.