I have been particularly trying to find the most effective measures to protect an apk from Reverse engineering and abusive use. While continuing my research I came across various top rated apps and one of them which garnered most of my attention(as well as others perhaps) was Snapchat.
Now, Snapchat had tried to rebuild its security measures and tighten its knots to prevent abusive use of its app following 2017 fall releases. Long story short, Snapchat started using a special header called X-Snapchat-Client Auth Token to sign all requests originating from the App. The beauty being a simple decompile and recompile leaves the app useless and it perhaps boils down to the special header which helps detect Snapchat servers that the request is illegitimate and originated from untrusted sources and hence should not be entertained.
This special header is actually prepared by a special native library called libscplugin.so which is called by the app during initial login and helps generating the header and signing the requests. On doing a bit digging I discovered this library(which is actually a shared object(.so) and cannot be decompiled easily unlike other .dex files) makes following java method calls :
- com.snapchat.android.app.shared.crypto.DeviceTokenManager.getInstance
- com.snapchat.android.app.shared.crypto.DeviceTokenManager.getDeviceToken1
which is understood as it might be doing some stuffs with Device token.
And, There are following calls as well :
- java.lang.ClassLoader.loadClass
- dalvik.system.BaseDexClassLoader.findClass
- dalvik.system.DexPathList$Element.toString
- and a lot number of other Dalvik and String method calls
I want to understand what this particular method of protection is and how it helps Snapchat identify an unauthorized app. What do the above method calls symbolize or convey a message? Is it trying to attain the App signature from the native layer or trying to compute the state of the dex files or anything which I'm not aware of and is very interesting and helpful and using it further to generate the attestation token?
Whatever these calls do, it's pretty obvious it is very successful and has stood the test of time.
Any further thoughts and insights are most welcome and appreciated.