General App Security Questions

How can I completely prevent reverse engineering of an Android APK? Is this possible?

Ultimately, there’s no limit to the amount of effort that a sufficiently determined adversary can devote to reverse-engineering an Android APK, so given enough time even the most hardened and well-obfuscated application can eventually be reversed. Thus, the game isn’t to prevent reverse-engineering completely, but rather to increase the cost in terms of time, effort, needed tooling, etc., to the point that a potential adversary finds it more trouble than it’s worth to go after your app (knowing that there are lots of other, largely unprotected apps out there!).

Reverse-engineering and App Protection is a cat-and-mouse game, with both the adversary and the app developer using constantly evolving tools and technology. Accepting that there is no ultimate “perfect” defence doesn’t mean that you should give up, but rather that you need to have a nuanced security posture: What attacks or exploits are you most worried about? What are you protecting (valuable IP? business value? privacy-sensitive data?), and how can you best balance the other important aspects of APK design (quality, user-experience, rapid development, etc.) while still defending against reverse-engineering.