Android App Shield

Introduction

Quixxi App Shield is usable by enterprises, mobile app developers to secure their mobile apps from piracy, revenue loss, IP theft, loss of user data, hacking and cracking. Quixxi App Shield ensures your application is fully protected with our multi-layered encryption engine that prevents your application from being reverse engineered and tampered with

Salient features

Quixxi App Shield for Android:

  • moves hardcoded strings and methods calls to the native low layer, replacing both of them with gibberish values which will prevent the business logic understanding
  • is applied with a simple drag’n’drop, so to achieve a fast and codeless integration
  • provides additional API for encrypting the app data and shared preferences API for storing them safely on device

Steps to apply Quixxi App Shield to Android app

Optional but highly recommended
In order to achieve a higher security level we strongly suggest to obfuscate the code before applying the Quixxi App Shield. If you use ProGuard – the Android Studio’s inbuilt tool – please make sure to add the following line to your ProGuard file:

-keep class com.quixxi.** { *; }

Please follow the steps below to protect your Android app with Quixxi App Shield:

  1. If you don’t have yet created the container for your app in Quixxi Portal please create one using the “Add New”  button, otherwise go directly to point 3
  2. In the “Create your app” dialog give a name of your application and click “Continue”
  3. Click the app container and choose “Shield” in the header tab
  4. Click “Protect now” under the Android section or “Protect” in the left-side menu just below the “App Shield” section.
  5. In the next window make sure to select “Android” and add the unprotected apk to be secured. You can drag’n’drop it directly inside the perimeter or click on it to browse the filesystem
  6. You may need to scroll down the window, choose the appropriate plan and then click “Next”
  7. Tailor your security settings depending on the target application’s needs
  8. Once you click “Next” the apk will be uploaded to server and Quixxi App Shield will be applied.
  9. Once done, you will be automatically redirected to the “Download” page. In order to check the new generated apk you will have two choices. Click on the “Download Debug Signed” button to download an apk for debugging purposes. This apk is immediately ready to be installed on device because already signed by our keystore file. The other option offered is to sign the apk on your own, as better explained below
  10. Click on “Download Protected App” to download the unaligned, unsigned apk. You MUST sign it before it gets published on Google PlayStore and/or successfully executed on the phones. For this purpose you can use the following commands:
Jarsigner:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore $YOUR-KEY-STORE-PATH $UNSIGN-APK-PATH $ALIAS-NAME

Jarsigner Verification:

jarsigner -verify -verbose -certs $UNSIGN-APK-PATH

zipalign:

zipalign -v 4 $UNSIGN-APK-PATH $OUTPUT-APK-PATH

Steps to apply Quixxi App Shield to Android Archive (aar)

Please follow the steps below to protect your Android library with Quixxi App Shield

  1. If you don’t have yet created the container for your aar file in Quixxi Portal please create one using the “Add New” button, otherwise go directly to point 3
  2. In the “Create your app” dialog give a name to your Android archive and click ”Continue”
  3. Click the aar container and choose “Shield” in the header tab
  4. Scroll all the way down the left-side menu and click the “Protect” tab below the “Code Protection“ section
  5. In the next window make sure to select “Android” and add the aar file to be processed either through drag’n’drop or browsing the filesystem
  6. You may need to scroll down the window, choose the appropriate plan and then click “Next”
  7. Once Quixxi App Shield is applied to the aar file click on the “Download Library” on the top right corner under the header to download the protected library
  8. Now your aar file has been secured and it’s ready to be integrated into another project

Steps to integrate the secured aar file into an app

In order to solve the calls destined to the freshly secured library please import it as you would normally do:

  1. In Android Studio go to ”File” -> ”Project Structure…” -> click the ”+” in the top left corner -> “Import .JAR/.AAR Package” -> “Next” -> select your secured library -> “Finish”. Please double-check that this step was correctly performed controlling that the “settings.gradle” file of your app shows a line like the following or add it to fix this step:
    include ‘:app’, ‘YourSecuredLibrary’
  2. After importing the secured SDK, click on “File” -> “Project Structure…” -> select “Dependencies” tab -> click the “+” in the top right corner -> “Module Dependency” -> select “:YourSecuredLibrary”. Again, please double-check that this step too was correctly performed opening your ”build.gradle (Module: app)” file. You should already find [only] one of the following lines in the list of “dependencies”, else please add the one corresponding to your Gradle version:
    compile project(‘:YourSecuredLibrary’)   // deprecated since gradle:3.0
    implementation project(‘:YourSecuredLibrary’)

Then you need to add to the launcher activity the QuixxiSecurity class that has been included in the protected aar file:

// import the library exactly as you would do with the plain one plus…
import com.quixxi.security.QuixxiSecurity;

and insert this call:

QuixxiSecurity.initialize(this, getApplicationContext());

Steps to apply Quixxi Security to Java Archive (jar)

Please follow the steps below to protect your Android library with Quixxi Security

  1. Create a new app in Quixxi Portal using “Add New” button.
  2. In “Create your app” dialog give a name of your application and click Continue
  3. Click the newly created app and choose “Security” in the header tab.
  4. Scroll down to the bottom of the page and click the “Protect” button Under the Code Protection in the left side of the window.
  5. In the next window make sure Android Radio button is selected and select the aar to be uploaded.
  6. Scroll down the window and choose the appropriate plan and then click Next to start uploading the jar.
  7. Once Quixxi Security is applied to the jar, Click on the Download Protected jar on the top right corner under the header to download the protected app.
  8. Copy the native library (.so) to your libs directory
  9. Replace your application source packages (packaged as jar which was meant to be secured) with the secured source packages generated from Quixxi Security
  10. Once the libs and packages are integrated, you need to add the lines of code specified below to your main application class
    Security security = new Security(getApplicationContext());
    security.registerNative(getApplicationContext());
    security.loadNative();
  11. Now your application is secured and ready for market release

Usage of Utility API in Java Archive (jar)

In addition to features, Quixxi security provides utility APIs for usage in application development.
You can also check out our API Reference for more detailed information about our SDK.

Steps to Encrypt and Decrypt in Java Archive (jar)

Quixxi Security provides APIs to encrypt confidential information and use the encrypted data and decrypt the encrypted text to get back the original data when required. You could use the AES algorithm or base 64 encoding/decoding mechanism for your encryption and decryption scenarios.
A snippet of usage of encryption and decryption as

EncryptionUtils mEncryptionUtils = new EncryptionUtils();
// Encrypts given text to encrypted text using AES
mEncryptionUtils.encryptAES(“Example String to be Encrypted”,”My Encryption Password”);
//Encrypt file content in the given path
mEncryptionUtils.encryptFile(“My Encryption Password”,inputFilename, outputFilename);
// Encrypts given text to encrypted text using base64 method
mEncryptionUtils.encodeString(“Example String to be Encrypted”);
// Decrypt encrypted text to original text using AES
mEncryptionUtils.decryptAES(“Encrypted text”,”My Encyption Password”);
//Decrypt file content in the given path
mEncryptionUtils.decryptFile(“My Encryption Password”,”inputFilename”,”outputFilename”);
//Decrypt a encoded string usign base64 method
mEncryptionUtils.decodeString(“Encrypted String”);’

Usage of Shared Preferences API in Java Archive (jar)

You may wish to have a secured place inside the device, so that you can save the data you want and retrieve it later when necessary. This functionality is achieved by using our Shared Preferences APIs. The shared preferences in the devices is like a secret location which cannot be seen or tracked by casual looking or searching. So, the APIs use this place for storing any secret data which is required at some time or the other.

// save String to preference
A.saveStringPreferences(“name of the shared preference”,”modified preference name “, “string to be stored in the preference” );
// retrieve the string value from preference
A.getStringPreferences(“name of the preference file”,”name of the shared preference”, default String value to return if preference doesn’t exist );

Android Security SDK – Quick Start Guide

Introduction

Quixxi Security is usable for enterprises, mobile app developers to secure their mobile apps from piracy, revenue loss, IP theft, loss of user data , hacking and cracking. Quixxi Security ensures your application is fully protected with our multi layered encryption engine that prevents your application from being reverse engineered and tampered with.

Salient features

      1. Security Framework will encrypt your business logic code of your application and move it to native low layer
      2. Framework uses java reflection to hide the method calls and it removes the method body and replaces it with native method calls to protect the apps business logic from crackers
      3. Prevents revenue loss caused by cracked usage of application
        Easy to Integrate your existing applications
      4. Provides additional APIs for encrypting the App data and shared preferences API for storing data secretly in device

Note

If you use ProGuard, Make sure that the below line of code is added to the Proguard.

-keep class com.quixxi.** { *; }
-keep class com.google.gson.**{*;}

Steps to apply Quixxi Security to Android app

Please follow the steps below to protect your Android application with Quixxi Security

      1. Create a new app in Quixxi Portal using “Add New” button.
      2. In “Create your app” dialog give a name of your application and click Continue
      3. Click the newly created app and choose “Security” in the header tab.
      4. Under the Android Section Click “Protect now” to protect your app.
      5. In the next window make sure Android Radio button is selected and select the apk to be uploaded
      6. Scroll down the window and the choose the appropriate plan and then click Next select the options in securing the apk
      7. Select the the options which you want to be added to your protected apk and click ‘Next’.
      8. Once you Click Next the apk will be uploaded to server and Quixxi security will be applied.
      9. Once Quixxi Security is applied to the apk, you will be automatically redirected to the Report page. Click on the Download Protected App on the top right corner under the header to download the protected app

        After applying security quixxi provides unaligned, unsigned apk. You need to sign apk before publishing it to play store.
        Use following commands to sign your apk

Jarsigner:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore $YOUR-KEY-STORE-PATH $UNSIGN-APK-PATH $ALIAS-NAME

Jarsigner Verify:

jarsigner -verify -verbose -certs $UNSIGN-APK-PATH

zipalign:

zipalign -v 4 $UNSIGN-APK-PATH $OUTPUT-APK-PATH

Steps to apply Quixxi Security to Android Archive (aar)

Please follow the steps below to protect your Android library with Quixxi Security

      1. Create a new app in Quixxi Portal using “Add New” button.
      2. In “Create your app” dialog give a name of your application and click Continue
      3. Click the newly created app and choose “Security” in the header tab.
      4. Scroll down to the bottom of the page and click the “Protect” button Under the Code Protection in the left side of the window.
      5. In the next window make sure Android Radio button is selected and select the aar to be uploaded.
      6. Scroll down the window and the choose the appropriate plan and then click Next to start uploading the aar .
      7. Once Quixxi Security is applied to the aar,Click on the Download Protected aar on the top right corner under the header to download the protected app.
      8. To initialize quixxi security framework add the following line to the launcher activity
        QuixxiSecurity.initialize(this,getApplicationContext());
      9. Now your application is secured and ready for market release

Steps to apply Quixxi Security to Java Archive (jar)

Please follow the steps below to protect your Android library with Quixxi Security

      1. Create a new app in Quixxi Portal using “Add New” button.
      2. In “Create your app” dialog give a name of your application and click Continue
      3. Click the newly created app and choose “Security” in the header tab.
      4. Scroll down to the bottom of the page and click the “Protect” button Under the Code Protection in the left side of the window.
      5. In the next window make sure Android Radio button is selected and select the aar to be uploaded.
      6. Scroll down the window and choose the appropriate plan and then click Next to start uploading the jar.
      7. Once Quixxi Security is applied to the jar, Click on the Download Protected jar on the top right corner under the header to download the protected app.
      8. Copy the native library (.so) to your libs directory
      9. Replace your application source packages (packaged as jar which was meant to be secured) with the secured source packages generated from Quixxi Security
      10. Once the libs and packages are integrated, you need to add the lines of code specified below to your main application class
        Security security = new Security(getApplicationContext());
        security.registerNative(getApplicationContext());
        security.loadNative();
      11. Now your application is secured and ready for market release

Usage of Utility API in Java Archive (jar)

In addition to features, Quixxi security provides utility APIs for usage in application development.
You can also check out our API Reference for more detailed information about our SDK.

Steps to Encrypt and Decrypt in Java Archive (jar)

Quixxi Security provides APIs to encrypt confidential information and use the encrypted data and decrypt the encrypted text to get back the original data when required. You could use the AES algorithm or base 64 encoding/decoding mechanism for your encryption and decryption scenarios.
A snippet of usage of encryption and decryption as

EncryptionUtils mEncryptionUtils = new EncryptionUtils();
// Encrypts given text to encrypted text using AES
mEncryptionUtils.encryptAES(“Example String to be Encrypted”,”My Encryption Password”);
//Encrypt file content in the given path
mEncryptionUtils.encryptFile(“My Encryption Password”,inputFilename, outputFilename);
// Encrypts given text to encrypted text using base64 method
mEncryptionUtils.encodeString(“Example String to be Encrypted”);
// Decrypt encrypted text to original text using AES
mEncryptionUtils.decryptAES(“Encrypted text”,”My Encyption Password”);
//Decrypt file content in the given path
mEncryptionUtils.decryptFile(“My Encryption Password”,”inputFilename”,”outputFilename”);
//Decrypt a encoded string usign base64 method
mEncryptionUtils.decodeString(“Encrypted String”);’

Usage of Shared Preferences API in Java Archive (jar)

You may wish to have a secured place inside the device, so that you can save the data you want and retrieve it later when necessary. This functionality is achieved by using our Shared Preferences APIs. The shared preferences in the devices is like a secret location which cannot be seen or tracked by casual looking or searching. So, the APIs use this place for storing any secret data which is required at some time or the other.

/ save String to preference
A.saveStringPreferences(“name of the shared preference”,”modified preference name “, “string to be stored in the preference” );
// retrieve the string value from preference
A.getStringPreferences(“name of the preference file”,”name of the shared preference”, default String value to return if preference doesn’t exist );