Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[Droidcon Berlin 2023] Obfuscation in Mobile Apps

[Droidcon Berlin 2023] Obfuscation in Mobile Apps

Marc Obrador

July 06, 2023
Tweet

More Decks by Marc Obrador

Other Decks in Programming

Transcript

  1. What is obfuscation? https://en.wikipedia.org/wiki/Obfuscation Obfuscation is the obscuring of the

    intended meaning of communication by making the message difficult to understand, usually with confusing and ambiguous language.
  2. Why? Apps are uploaded to Play Store / App Store

    Anyone can download and unpack them! Source Code is YOUR IP! Understanding internals of the App can lead to unintended consequences (e.g. removing restrictions, paywalls, …) Obfuscation makes it difficult to reverse engineer your App
  3. Does the programming language affect the result? All obfuscation techniques

    can be applied (in general) to any language, but the difficulty of reverse engineering depends on the distributable format for each language / platform Yes
  4. Time to play! 3 code snippets from different languages Extracted

    from their APK Only minimal obfuscation applied (method and var renaming)
  5. function t(o, t) { for (var n = 0, i

    = 0; i < o.length; i++) { o.charAt(i) === t && n++; } return n } React Native (JS) No tooling required!!
  6. .method a(Ljava/lang/String;C)I .locals 2 invoke-virtual {p1}, Ljava/lang/String;->toCharArray()[C move-result-object p1 const/4

    v0, 0x0 :goto_0 array-length v1, p1 if-ge v0, v1, :cond_1 aget-char v1, p1, v0 if-ne v1, p2, :cond_0 return v0 :cond_0 add-int/lit8 v0, v0, 0x1 goto :goto_0 :cond_1 const/4 p1, -0x1 return p1 .end method Android - Java Only open source tools used
  7. int _Z1aPcc(int * arg0, int arg1) { r1 = arg1;

    r0 = arg0; r9 = *(int8_t *)r0; if (r9 != 0x0) { r8 = r0 + 0x1; do { r10 = r9 & 0xff; r9 = *(int8_t *)r8; r8 = r8 + 0x1; if (r10 == zero_extend_64(r1)) { asm { cinc w0, w0, eq }; } } while (r9 != 0x0); } return 0x0; } Android - NDK Professional tooling used
  8. Tooling is not available (yet)! Flutter (even though some alternatives

    are starting to come up: https://github.com/Impact-I/reFlutter)
  9. Closing Thoughts Obfuscating source code might be important to prevent

    your source code from being stolen or even modified Chosen Programming Language has a direct impact on the effectiveness of the obfuscation Assembly Languages (C/C++/Dart) > Java > JS Flutter is a good choice (temporarily) For native Android, using Java / Kotlin for highly sensitive code is discouraged
  10. Build38 gives back! Build38 commits to maintain and contribute to

    o-MVLL, part of Open Obfuscator https://obfuscator.re/ Created by industry expert Romain Thomas https://romainthomas.fr Free, Open-Source obfuscation for everyone Supports Android NDK, iOS and Flutter