Découvrir et maîtriser
l’obfuscation sur
Android
0%
Slide 2
Slide 2 text
About us
Renaud Boulard
@_renaudb
Francois Lolom
@flolom
1%
Slide 3
Slide 3 text
Steps and
Methodology
Obfuscation
technics
Go further
Conclusion
Introduction Delivery and
Exploit
Summary
2%
Slide 4
Slide 4 text
To render obscure
To darken
To hide
Obfuscate
To make something
less clear and harder
to understand,
especially intentionally
Obfuscate
* wiktionary.org
*dictionary.
cambridge.org
Obfuscation
4%
Slide 5
Slide 5 text
Obfuscation goals
Makes sensitive
assets harder to find
Limits cloning / app
repackaging
Protects other security
features located on the app
Makes inner implementation
« more secret »
8%
Timber lint rules are great !
if you are using the android logger instead of timber
if you concatenate strings in a log message
Will automatically check with lint
61%
Slide 49
Slide 49 text
62%
Timber lint rules are great !
Slide 50
Slide 50 text
63%
Timber lint rules are great !
Slide 51
Slide 51 text
Be careful with custom loggers
getDefaultProguardFile('proguard-android.txt')
64%
Slide 52
Slide 52 text
Be careful with custom loggers
getDefaultProguardFile('proguard-android-optimize.txt')
65%
Slide 53
Slide 53 text
Use compile-time code generation
Better performance
Resists proguard
obfuscation
Bigger APK
Dagger 1 vs Dagger 2
Autovalue for serialization
65%
Slide 54
Slide 54 text
Avoid reflection for serialization
Use Compile time generation
66%
Slide 55
Slide 55 text
Tip
# Understand the @Keep support annotation.
-keep class android.support.annotation.Keep
-keep @android.support.annotation.Keep class * {
*;
}
In sdk/tools/proguard/proguard-android.txt
• Resists class refactor
• No extra proguard configuration required
Use @Keep !
67%
SDK steps
Choose your tools
propertly
Proguard conf
library
Provide proguard conf
of your dependencies
Declare your API
Enable repackaging
Remove log
Decompile
Publish
Save mapping
94%
Slide 70
Slide 70 text
Conclusion
Obfuscation
doesn’t prevent reverse engineering,
but just discourages it.
96%