[Droidcon Berlin 2023] Obfuscation in Mobile Apps

Transcript

1. Obfuscation In Mobile Apps Marc Obrador DroidCon Berlin - July

   2023 CTO & Co-Founder

2. What is obfuscation? https://en.wikipedia.org/wiki/Obfuscation Obfuscation is the obscuring of the

   intended meaning of communication by making the message difficult to understand, usually with confusing and ambiguous language.

3. Obfuscating source code

4. Why? Apps are uploaded to Play Store / App Store

   Anyone can download and unpack them! Source Code is YOUR IP! Understanding internals of the App can lead to unintended consequences (e.g. removing restrictions, paywalls, …) Obfuscation makes it difficult to reverse engineer your App

5. Cons Impact on … Debugging Performance Size

6. Does the programming language affect the result? All obfuscation techniques

   can be applied (in general) to any language, but the difficulty of reverse engineering depends on the distributable format for each language / platform Yes

7. Time to play! 3 code snippets from different languages Extracted

   from their APK Only minimal obfuscation applied (method and var renaming)

8. function t(o, t) { for (var n = 0, i

   = 0; i < o.length; i++) { o.charAt(i) === t && n++; } return n } React Native (JS) No tooling required!!

9. .method a(Ljava/lang/String;C)I .locals 2 invoke-virtual {p1}, Ljava/lang/String;->toCharArray()[C move-result-object p1 const/4

   v0, 0x0 :goto_0 array-length v1, p1 if-ge v0, v1, :cond_1 aget-char v1, p1, v0 if-ne v1, p2, :cond_0 return v0 :cond_0 add-int/lit8 v0, v0, 0x1 goto :goto_0 :cond_1 const/4 p1, -0x1 return p1 .end method Android - Java Only open source tools used

10. int _Z1aPcc(int * arg0, int arg1) { r1 = arg1;

    r0 = arg0; r9 = *(int8_t *)r0; if (r9 != 0x0) { r8 = r0 + 0x1; do { r10 = r9 & 0xff; r9 = *(int8_t *)r8; r8 = r8 + 0x1; if (r10 == zero_extend_64(r1)) { asm { cinc w0, w0, eq }; } } while (r9 != 0x0); } return 0x0; } Android - NDK Professional tooling used

11. Tooling is not available (yet)! Flutter (even though some alternatives

    are starting to come up: https://github.com/Impact-I/reFlutter)

12. Closing Thoughts Obfuscating source code might be important to prevent

    your source code from being stolen or even modified Chosen Programming Language has a direct impact on the effectiveness of the obfuscation Assembly Languages (C/C++/Dart) > Java > JS Flutter is a good choice (temporarily) For native Android, using Java / Kotlin for highly sensitive code is discouraged

13. Build38 gives back! Build38 commits to maintain and contribute to

    o-MVLL, part of Open Obfuscator https://obfuscator.re/ Created by industry expert Romain Thomas https://romainthomas.fr Free, Open-Source obfuscation for everyone Supports Android NDK, iOS and Flutter

14. Marc Obrador CTO and Co-Founder [email protected] @marcobrador /in/marc-obrador Visit us

    at the booth #13 to know more Any questions?