0

Me and my team coded an Android Application for a customer of my company. Due to some "political issues" the cooperation ended. The customer now uses the unpaid Application. I used dex2jar and apktool for reverse engineering but within the development we obfuscate our code with ProGuard. The only things i can proof is that the Manifest.xml, strings.xml and some other ressources are similar / equivalent. Is there any way to get a better or more readable view (in best case in plain text) of the .java classes? Are there "better" tools then apktool or dex2jar that i missed?

Thanks in advance for your help!

Solution:

  • delete an activity from the decompiled Manifest (decompiled with apktool)
  • build a new apk file with the decompiled data
  • sign it with the keystore
  • put it on the device and start it. The app should crash when you navigate to the activity that you deleted from the Manifest
  • take the stacktrace (from logcat) and deobfuscate it (like Vaiden provided)
RobCo
  • 4,924
  • 2
  • 15
  • 25
Lars
  • 573
  • 5
  • 16
  • 1
    Was there no backup? Your team does not have the source code? – Salaudeen Abdulrahman Jan 19 '18 at 09:20
  • 1
    So you wrote a program and you have the sourcecode of _your_ program. And your former customer is using an application which you _think_ is yours? And now you want to reverse engineer that application to compare it with your code, so you _know_ if it is your program or not? Did I got that right? How did you even got the application, that your former customer is now using? I dunno.... maybe you should ask a lawyer? – Korashen Jan 19 '18 at 09:21
  • To 'prove' it is your app, you can compare the apk signature with your signing key. Since your singing keys is private you will be the only one to provide a matching key. For instructions how to print the signatures see [this answer](https://stackoverflow.com/a/11331951/6151924). – RobCo Jan 19 '18 at 09:25
  • The former customer put the application into the Playstore. So you got it right @Korashen. Im gonna look at this post. Thanks RobCo – Lars Jan 19 '18 at 09:26
  • They used another keystore so the signatures are not equivalent. – Lars Jan 19 '18 at 09:49
  • @SalaudeenAbdulrahman That is not the point. They have the backup (who doesn't use version control?). But how can you proof, that a customer used the code you shipped him without paying for it? You have to dig deep in the APK. – Alexander Hoffmann Jan 19 '18 at 14:11
  • @RobCo This won't work once the client uses his own signature key. – Alexander Hoffmann Jan 19 '18 at 14:11

1 Answers1

2

Proguard's mapping file is supposed to be commulative. So if you've kept your old mapping file (and I sure hope you did, at least for debugging sake), you should be able to deobfuscate logged stacktraces: https://coderwall.com/p/htq67g/android-how-to-decode-proguard-s-obfuscated-stack-trace

It should be possible to simulate a stacktrace using the .java classes you've extracted. Just follow a call (stack) trace from the code itself. If you get a coherent response while retracing it using your mapping file - then chances are it is indeed your code.

Vaiden
  • 14,116
  • 6
  • 55
  • 86
  • 1
    Sorry for missunderstanding: I didn't have the .java classes from the copied apk, but i found a way to follow your idea. I'll edit my start post with my solution. Thanks for your help! – Lars Jan 19 '18 at 13:00