Android App Security Risks and Protection Strategies Presented at Qunar Tech Carnival

The Qunar Tech Carnival featured a session on Android security led by Teng Hongmeng, an Android R&D engineer, focusing on three main topics: unprotected apps exposing data, the current security state of Android applications, and protection solutions.

Unprotected apps can leak data interfaces, degrade server performance, and expose promotional strategies, while both Java and native code are vulnerable to reverse engineering, allowing attackers to modify logic, bypass checks, and extract encryption keys.

Protection strategies discussed include resource protection by inserting junk data into APKs to break decompilers, Java code protection through runtime decryption and loading, and native code protection via techniques such as SO format reconstruction, code obfuscation, dynamic debugging detection, and hook tool detection.

The session introduced the Qotector platform, which provides APK security analysis (identifying risky permissions, unsafe SSL implementations, WebView vulnerabilities, native library leaks, and resource bloat) and APK hardening (primarily focusing on native library reinforcement) to help developers secure their applications.

Usage instructions for Qotector were provided, emphasizing the need for proper signing of hardened APKs and ensuring uploaded packages can be analyzed.