Make sure the malicious apk is not talking to my server
I am trying to make sure that someone cannot recompile my obfuscated application and then send malicious data to my server. I am doing SSLed PHP_POST of my application's versionCode and packageName. These POSTED variables are encrypted using asymmetric encryption along with signature verification, which will be changed for each version update. I thought about using checksums, but these methods are not officially supported by Google, and research has shown that they are not buggy, which could potentially violate legitimate users.
Among other things, it is a ban on the site via IP / Mac / IMEI / Serial / Android_ID / etc when something is detected that is 100% illegal.
I understand that nothing can be 100% secure, and the difference between good security and bad security is that the time / money / effort required to breach security is rated higher than an item protected by security. With this in mind, are there any other techniques I could use to secure my application, or any ideas I have to implement to add to current security?
On the other hand, how easy is it to decompile / recompile an apk (jar) that has been obfuscated, and would it be easier if it was done once? (otherwise, it doesn't matter how many times I change the key, because the application is already compromised and the decompiler might just look at the same place where my last key was)
source to share
First, don't make your own crypto. If you implement SSL correctly (!), Which is probably sufficient to protect data in transit from unauthorized access, etc. What you need to do is authenticate your application somehow, which is usually tricky because you need to store the credentials in the application. There are different ways, but currently the standard (and Google approved way) is to use Google Play services to get a token and validate it in your server application. Details here: http://android-developers.blogspot.jp/2013/01/verifying-back-end-calls-from-android.html
It's not perfect, but it's probably better than most custom solutions you can think of.
Decompilation is usually straightforward and obfuscation doesn't change much, as it is trivial to find places where you call system APIs (for getting MAC addresses, hashing, encryption, etc.).
source to share