Reverse engineering and tampering attacks threaten any mobile app, but many apps use basic code hardening techniques (or none at all!) To defend themselves against these attempts. In fact, research has shown that half of the world’s leading financial services apps in the Android marketplace are not using appropriate application shielding techniques such as code and data obfuscation.
Obfuscation is a way for Android developers to protect their apps from reverse engineering and tampering by masking their source code and data. Without this level of protection, malicious actors can easily gain an understanding of the inner workings of an app. This can lead to stolen intellectual property, distributed app clones, extracted sensitive data, lost revenue, and possibly much more.
Let’s examine why mobile app developers should consider using obfuscation to effectively harden their apps. We also discuss the different levels of obfuscation and why developers need to use different advanced techniques to adequately protect their apps from static and dynamic attacks.
What is code and data obfuscation?
Code and data obfuscation is a form of code hardening that ensures that an application is difficult to decompile by making its source code and data difficult to understand for humans and machines. When it is more difficult for unauthorized third parties to gain insight into the internal functioning of an application, threat actors have fewer opportunities to exploit the app, for example by stealing in-app information such as IP or sensitive data.
Obfuscation changes the code and its data without changing the behavior of the application or the user experience. It ranges from renaming classes or methods to transforming the arithmetic or changing the control flow of the app to encrypting app data. Below is a breakdown of some of the most common obfuscation techniques:
- Identifiers: Rename classes, methods, variables, or libraries, to name a few. Developers tend to choose meaningful names to make their code more readable and to make it easier for them to debug applications. Replacing identifiers with meaningless characters can make the code harder to understand. It is noteworthy, however, that this type of obfuscation alone is not enough. Bad actors can still understand the semantics of the app using control or data flow or through visible operating system interactions instead of meaningful identifiers. In addition, identifiers from external sources cannot be changed.
- Control flow: By changing the structure of the application code, obfuscating the flow of control works by rearranging lines of code, reducing functions, replacing code patterns, inserting dead code, and more. These transformations add complexity to the logic itself and make the code so unpredictable that even decompilers cannot parse it.
- Data: Encrypt strings and other data within the source code. Mobile apps contain sensitive information such as API keys, database passwords or hard-coded secret keys. By encrypting it and hiding the associated data flow – that is, when the app is using this information – app developers can protect this data even if malicious actors successfully reverse engineer large chunks of the source code.
These are just three code and data obfuscation techniques that can help protect your mobile app from malicious actors. To maximize your protection against decompilers or disassemblers, it is best to implement several advanced techniques such as obfuscation of the flow of control and encryption.
How obfuscation prevents security incidents
Decompilers and disassemblers are widely used to help malicious actors understand how an app works. Even if an exact replication of the original source code is not possible because a lot of information is lost when translating into an executable app, decompilers and disassemblers generate a type of source code, i.e. pseudocode, which is easier to read and understand for humans than machine-executable code. Application pseudocode can provide threat actors with a treasure trove of information. Once they know the internal logic of a mobile application, they can manipulate its functionality, potentially leading to intellectual property theft and lost revenue. These types of reverse engineering and manipulation attempts – called static analysis attacks – depend on uncovering the logic of an app. For this reason, OWASP recommends obfuscation as a secure coding practice that every mobile app developer should implement when creating apps that process sensitive data and / or functionality.
Obfuscation allows Android developers to ensure that even with sophisticated static analysis tools, malicious actors have trouble understanding their mobile application code. However, this requires going beyond simple name obfuscation and using advanced obfuscation techniques that change the logical flow of the application and include additional layers of encryption. The early recognition of the need for obfuscation and the effectiveness of the security measures implemented in a mobile app improves the security situation of the app itself. Once the need has been understood, the continuous testing of the security of the mobile application during the development process, the finding of problems and their fast Fix critical steps.
The more obfuscation techniques that are used, the better your application is protected against reverse engineering attacks, as each layer makes it even more difficult for the code to understand, both for humans and for automated tools.
Since a typical attack often goes beyond static analysis, developers should also consider implementing Runtime Application Self-Protection (RASP) to protect their apps from dynamic attacks as well. RASP implementations detect suspicious behavior and respond with preprogrammed actions to stop threats during runtime.
Mobile developers need to obfuscate their code
Android developers should take security measures to protect their apps from reverse engineering, tampering, or other attacks. Taking a layered approach to mobile security, including code obfuscation, is critical to maintaining the integrity of your Android app, protecting your data, and protecting your company’s reputation.
Guardsquare’s DexGuard offers multiple levels of code hardening and RASP. This means that Android developers can protect their applications from both static and dynamic attacks. DexGuard’s security measures are also applied polymorphically, which means that the application is obfuscated differently with each new build. Application hardening, evolving over time, is the best way to stay ahead of malicious actors and keep your Android apps safe.
In addition, Guardsquare’s AppSweep enables Android developers to continuously test the security of their apps as they develop, and provides actionable insights to troubleshoot code and dependency issues.