Obfuscation In Mobile Apps Marc Obrador DroidCon Berlin - July 2023 CTO & Co-Founder

What is obfuscation? https://en.wikipedia.org/wiki/Obfuscation Obfuscation is the obscuring of the intended meaning of communication by making the message difficult to understand, usually with confusing and ambiguous language.

Obfuscating source code

Why? Apps are uploaded to Play Store / App Store Anyone can download and unpack them! Source Code is YOUR IP! Understanding internals of the App can lead to unintended consequences (e.g. removing restrictions, paywalls, …) Obfuscation makes it difficult to reverse engineer your App

Cons Impact on … Debugging Performance Size

Does the programming language affect the result? All obfuscation techniques can be applied (in general) to any language, but the difficulty of reverse engineering depends on the distributable format for each language / platform Yes

Time to play! 3 code snippets from different languages Extracted from their APK Only minimal obfuscation applied (method and var renaming)

function t(o, t) { for (var n = 0, i = 0; i < o.length; i++) { o.charAt(i) === t && n++; } return n } React Native (JS) No tooling required!!

.method a(Ljava/lang/String;C)I .locals 2 invoke-virtual {p1}, Ljava/lang/String;->toCharArray()[C move-result-object p1 const/4 v0, 0x0 :goto_0 array-length v1, p1 if-ge v0, v1, :cond_1 aget-char v1, p1, v0 if-ne v1, p2, :cond_0 return v0 :cond_0 add-int/lit8 v0, v0, 0x1 goto :goto_0 :cond_1 const/4 p1, -0x1 return p1 .end method Android - Java Only open source tools used

int _Z1aPcc(int * arg0, int arg1) { r1 = arg1; r0 = arg0; r9 = *(int8_t *)r0; if (r9 != 0x0) { r8 = r0 + 0x1; do { r10 = r9 & 0xff; r9 = *(int8_t *)r8; r8 = r8 + 0x1; if (r10 == zero_extend_64(r1)) { asm { cinc w0, w0, eq }; } } while (r9 != 0x0); } return 0x0; } Android - NDK Professional tooling used

Tooling is not available (yet)! Flutter (even though some alternatives are starting to come up: https://github.com/Impact-I/reFlutter)

Closing Thoughts Obfuscating source code might be important to prevent your source code from being stolen or even modified Chosen Programming Language has a direct impact on the effectiveness of the obfuscation Assembly Languages (C/C++/Dart) > Java > JS Flutter is a good choice (temporarily) For native Android, using Java / Kotlin for highly sensitive code is discouraged

Build38 gives back! Build38 commits to maintain and contribute to o-MVLL, part of Open Obfuscator https://obfuscator.re/ Created by industry expert Romain Thomas https://romainthomas.fr Free, Open-Source obfuscation for everyone Supports Android NDK, iOS and Flutter

Marc Obrador CTO and Co-Founder [email protected] @marcobrador /in/marc-obrador Visit us at the booth #13 to know more Any questions?