Reverse engineering and tampering attacks threaten every mobile app, yet many apps apply basic code hardening techniques (or none at all!) to defend against these attempts. In fact, research has shown that half of the world’s leading financial services apps on the Android marketplace are not using proper application shielding techniques such as code and data obfuscation.
Obfuscation is a way for Android developers to protect their apps from reverse engineering and tampering attempts by masking their source code and data. Without this level of protection, malicious actors can easily gain an understanding of an app’s inner workings. This can lead to stolen intellectual property, distributed app clones, extracted sensitive data, loss of revenue, and potentially much more.
Let’s explore why mobile app developers should consider using obfuscation to effectively harden their apps. We’ll also discuss the different levels of obfuscation and why developers need to use several advanced techniques to adequately protect their apps from both static and dynamic attacks.
What is Code and Data Obfuscation?
Code and data obfuscation is a form of code hardening that ensures an application is difficult to decompile by making its source code and its data challenging for humans and machines to understand. When it’s harder for unauthorized third parties to gain insights into the internal workings of an application, there are fewer opportunities for threat actors to exploit the app by stealing in-app information like IP or sensitive data, as an example.
Obfuscation changes the code and its data without modifying the behavior of the application or the user experience. It ranges from renaming classes or methods to transforming arithmetic or modifying the control flow of the app or encrypting app data. Below is a breakdown of some of the most common obfuscation techniques:
- Identifiers: Renaming classes, methods, variables, or libraries, to name a few. Developers tend to choose meaningful names to make their code more readable and enable them to debug applications more easily. By replacing identifiers with meaningless characters, it can make the code harder to understand. Worth noting, however, is that this type of obfuscation is not sufficient by itself. Bad actors can still understand the semantics of the app using the control or dataflow or through visible OS interactions rather than meaningful identifiers. Additionally, identifiers from external sources cannot be changed.
- Control Flow: Altering the structure of the application code, control flow obfuscation works by reordering lines of code, flattening functions, substituting code patterns, inserting dead code, and more. These transformations increase the complexity of the logic itself making the code so unpredictable that even decompilers cannot parse it.
- Data: Encrypting strings and other data within the source code. Mobile apps include sensitive information, such as API keys, database passwords, or hard-coded secret keys. By encrypting these and hiding the related data flow — that is to say, when the app uses that information — app developers can protect this data even if malicious actors successfully reverse engineer large portions of the source code.
These are just three code and data obfuscation techniques that can help protect your mobile app against malicious actors. To maximize your protection against decompilers or disassemblers, it is best to implement multiple, advanced techniques like control flow obfuscation and encryption.
How Obfuscation Prevents Security Incidents
Decompilers and disassemblers are often used to make it easier for malicious actors to understand how an app works. Even if an exact replica of the original source code is not possible because a lot of information is lost during the compilation into an executable app, decompilers and disassemblers produce a kind of source code, i.e. pseudo-code, that is easier to read and understand for humans than machine-executable code. Application pseudo-code can provide a treasure trove of information for threat actors. Once they know the internal logic of a mobile application, they can manipulate its functionality potentially resulting in the theft of intellectual property and loss of revenue. These types of reverse engineering and tampering attempts — called static analysis attacks — depend on uncovering the logic of an app. That’s why OWASP recommends obfuscation as a secure coding practice every mobile app developer should implement when creating apps that handle sensitive data and/or functionality.
Through obfuscation, Android developers can ensure that even using sophisticated static analysis tools, malicious actors will have a difficult time understanding their mobile application code. This requires going beyond simple name obfuscation, however, and using advanced obfuscation techniques that modify the logical flow of the application and include additional encryption layers. Understanding early the need for obfuscation and the effectiveness of security measures implemented in a mobile app improves the security posture of the app itself. Once the need is understood, testing the mobile application security continuously during the development process, finding issues, and fixing them quickly are critical steps.
The more obfuscation techniques used, the better protected your application will be against reverse engineering attacks because each layer makes it even more difficult for the code to be understood by both humans and automated tools.
Because a typical attack often goes beyond static analysis, developers should also consider implementing runtime application self-protection (RASP) to protect their apps against dynamic attacks as well. RASP implementations detect suspicious behavior and respond with pre-programmed actions to stop threats during runtime.
Mobile Developers Need to Obfuscate Their Code
Android developers should implement security measures to protect their apps against reverse engineering, tampering, or other attacks. A layered approach to mobile security, including code obfuscation, is crucial for preserving your Android app’s integrity, safeguarding your data, and maintaining your business’s reputation.
Guardsquare’s DexGuard provides multiple layers of code hardening and RASP. That means Android developers can protect their applications from both static and dynamic attacks. DexGuard’s security measures are also applied polymorphically, meaning the application is re-obfuscated differently during every new build. Application hardening that evolves over time is the best way to stay ahead of malicious actors and keep your Android apps safe.
In addition, AppSweep by Guardsquare enables Android developers to continuously test the security of their apps while developing them and provides actionable insights to fix issues in code and dependencies.