Secure Communication in Hybrid Android Apps: Encryption, HTTPS, and Anti‑Tampering Techniques

The article introduces communication security for hybrid Android apps, emphasizing the need to prevent interception, tampering, and replay attacks. It proposes a layered approach that combines native encryption, secure HTTPS, and protected Web resources.

1. Encryption Scheme – To mitigate man‑in‑the‑middle attacks, the encryption algorithm is implemented in C/C++ and compiled into a native .so library. Java code calls the native methods via JNI, and dynamic keys are used to increase reverse‑engineering difficulty.

public class NewSign { /** * 3DES encrypt data with a dynamic key and return ciphertext. */ public static native byte[] encodeData(int signType, long timeStam, long random, byte[] data); /** * 3DES decrypt data and return plaintext. */ public static native byte[] decodeData(int signType, long timeStam, long random, byte[] code); static { System.loadLibrary("newsign"); } }

2. Web Communication Security – Instead of duplicating encryption in JavaScript, the native layer forwards Web requests. A @JavascriptInterface method sendRequest handles different request types (POST, GET, FILEUPLOAD), adds logging, builds parameters, and returns results to the Web layer via JavaScript callbacks.

@JavascriptInterface public void sendRequest(int type, final String actionName, String url, String jsonStr, final String callback, final int showType) { // logging and request handling logic // ... }

3. Web Resource Anti‑Cracking – Web assets (HTML, JS, JSON, images) are packaged into password‑protected ZIP files. The app reads the ZIP via a custom HttpStaticZipHandler that decrypts the archive using the provided password and serves files through an embedded HTTP server.

public void initRootFile(ZipFile zf, String psw) throws IOException, ZipException { if (zf.isEncrypted()) { zf.setPassword(psw); } for (FileHeader fh : zf.getFileHeaders()) { fileIndex.put(fh.getFileName(), fh); zipFileMap.put(fh.getFileName(), zf); } }

public HttpResponse handleRequest(HttpRequest request) { String uri = URLDecoder.decode(request.getUri(), "UTF-8"); ZipInputStream zis = vfs.getFileInputStream(uri); if (zis != null) { HttpResponse res = new HttpResponse(HttpStatus.OK, zis); // set content‑type headers as needed return res; } return null; }

4. HTTPS Communication – The article shows how to create a Volley RequestQueue that supports self‑signed certificates by supplying a custom SSLSocketFactory . It also forces strict hostname verification for HTTPS connections.

public static RequestQueue newRequestQueue(Context context, HttpStack stack, boolean selfSignedCertificate, int rawId) { // build user‑agent, choose HurlStack or HttpClientStack based on SDK version // set up SSL factory when selfSignedCertificate is true // return configured RequestQueue }

protected HttpURLConnection createConnection(URL url) throws IOException { if (url.toString().toLowerCase(Locale.CHINA).startsWith("https")) { HttpsURLConnection.setDefaultHostnameVerifier(org.apache.http.conn.ssl.SSLSocketFactory.STRICT_HOSTNAME_VERIFIER); } return (HttpURLConnection) url.openConnection(); }

5. Anti‑Tampering and Replay Protection – The client generates a signature token that includes USERID , a timestamp, and an MD5 hash of sessionId + timestamp + actionInfo . The server validates the signature and checks a replay cache to ensure the request is not a replay.

public static JSONObject getSignToken(String actionInfo) { JSONObject signToken = new JSONObject(); String timeStamp = System.currentTimeMillis() + ""; addData(signToken, "USERID", PayCommonInfo.userId); addData(signToken, "TIMESTAMP", timeStamp); addData(signToken, "SIGN", AppUtils.encryptMD5(PayCommonInfo.sessionId + timeStamp + actionInfo)); return signToken; }

In summary, the article lists key techniques for securing communication in hybrid Android apps, covering native encryption, HTTPS configuration, protected Web resources, and robust anti‑tampering/replay mechanisms, all of which have been validated through industry penetration testing.