Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[Droidcon Berlin 2023] Obfuscation in Mobile Apps

[Droidcon Berlin 2023] Obfuscation in Mobile Apps

Marc Obrador

July 06, 2023
Tweet

More Decks by Marc Obrador

Other Decks in Programming

Transcript

  1. Obfuscation In
    Mobile Apps
    Marc Obrador
    DroidCon Berlin - July 2023
    CTO & Co-Founder

    View Slide

  2. What is obfuscation?
    https://en.wikipedia.org/wiki/Obfuscation
    Obfuscation is the obscuring of the intended
    meaning of communication by making the message
    difficult to understand, usually with confusing and
    ambiguous language.

    View Slide

  3. Obfuscating source code

    View Slide

  4. Why?
    Apps are uploaded to Play Store / App Store
    Anyone can download and unpack them!
    Source Code is YOUR IP!
    Understanding internals of the App can lead to unintended
    consequences (e.g. removing restrictions, paywalls, …)
    Obfuscation makes it difficult to reverse engineer
    your App

    View Slide

  5. Cons
    Impact on …
    Debugging
    Performance
    Size

    View Slide

  6. Does the programming
    language affect the result?
    All obfuscation techniques can be applied (in
    general) to any language, but the difficulty of
    reverse engineering depends on the distributable
    format for each language / platform
    Yes

    View Slide

  7. Time to play!
    3 code snippets from different languages
    Extracted from their APK
    Only minimal obfuscation applied (method and var renaming)

    View Slide

  8. function t(o, t) {
    for (var n = 0, i = 0; i < o.length; i++) {
    o.charAt(i) === t && n++;
    }
    return n
    }
    React Native (JS)
    No tooling required!!

    View Slide

  9. .method a(Ljava/lang/String;C)I
    .locals 2
    invoke-virtual {p1}, Ljava/lang/String;->toCharArray()[C
    move-result-object p1
    const/4 v0, 0x0
    :goto_0
    array-length v1, p1
    if-ge v0, v1, :cond_1
    aget-char v1, p1, v0
    if-ne v1, p2, :cond_0
    return v0
    :cond_0
    add-int/lit8 v0, v0, 0x1
    goto :goto_0
    :cond_1
    const/4 p1, -0x1
    return p1
    .end method
    Android - Java
    Only open source
    tools used

    View Slide

  10. int _Z1aPcc(int * arg0, int arg1) {
    r1 = arg1;
    r0 = arg0;
    r9 = *(int8_t *)r0;
    if (r9 != 0x0) {
    r8 = r0 + 0x1;
    do {
    r10 = r9 & 0xff;
    r9 = *(int8_t *)r8;
    r8 = r8 + 0x1;
    if (r10 == zero_extend_64(r1)) {
    asm { cinc w0, w0, eq };
    }
    } while (r9 != 0x0);
    }
    return 0x0;
    }
    Android - NDK
    Professional tooling
    used

    View Slide

  11. Tooling is not available (yet)!
    Flutter
    (even though some alternatives are starting to come up: https://github.com/Impact-I/reFlutter)

    View Slide

  12. Closing Thoughts
    Obfuscating source code might be important to prevent your
    source code from being stolen or even modified
    Chosen Programming Language has a direct impact on the
    effectiveness of the obfuscation
    Assembly Languages (C/C++/Dart) > Java > JS
    Flutter is a good choice (temporarily)
    For native Android, using Java / Kotlin for highly sensitive code is
    discouraged

    View Slide

  13. Build38 gives
    back!
    Build38 commits to maintain and contribute to
    o-MVLL, part of Open Obfuscator
    https://obfuscator.re/
    Created by industry expert Romain Thomas
    https://romainthomas.fr
    Free, Open-Source obfuscation for everyone
    Supports Android NDK, iOS and Flutter

    View Slide

  14. Marc Obrador
    CTO and Co-Founder
    [email protected]
    @marcobrador
    /in/marc-obrador
    Visit us at the booth #13
    to know more
    Any questions?

    View Slide