Slide 1

Slide 1 text

Obfuscation In Mobile Apps Marc Obrador DroidCon Berlin - July 2023 CTO & Co-Founder

Slide 2

Slide 2 text

What is obfuscation? https://en.wikipedia.org/wiki/Obfuscation Obfuscation is the obscuring of the intended meaning of communication by making the message difficult to understand, usually with confusing and ambiguous language.

Slide 3

Slide 3 text

Obfuscating source code

Slide 4

Slide 4 text

Why? Apps are uploaded to Play Store / App Store Anyone can download and unpack them! Source Code is YOUR IP! Understanding internals of the App can lead to unintended consequences (e.g. removing restrictions, paywalls, …) Obfuscation makes it difficult to reverse engineer your App

Slide 5

Slide 5 text

Cons Impact on … Debugging Performance Size

Slide 6

Slide 6 text

Does the programming language affect the result? All obfuscation techniques can be applied (in general) to any language, but the difficulty of reverse engineering depends on the distributable format for each language / platform Yes

Slide 7

Slide 7 text

Time to play! 3 code snippets from different languages Extracted from their APK Only minimal obfuscation applied (method and var renaming)

Slide 8

Slide 8 text

function t(o, t) { for (var n = 0, i = 0; i < o.length; i++) { o.charAt(i) === t && n++; } return n } React Native (JS) No tooling required!!

Slide 9

Slide 9 text

.method a(Ljava/lang/String;C)I .locals 2 invoke-virtual {p1}, Ljava/lang/String;->toCharArray()[C move-result-object p1 const/4 v0, 0x0 :goto_0 array-length v1, p1 if-ge v0, v1, :cond_1 aget-char v1, p1, v0 if-ne v1, p2, :cond_0 return v0 :cond_0 add-int/lit8 v0, v0, 0x1 goto :goto_0 :cond_1 const/4 p1, -0x1 return p1 .end method Android - Java Only open source tools used

Slide 10

Slide 10 text

int _Z1aPcc(int * arg0, int arg1) { r1 = arg1; r0 = arg0; r9 = *(int8_t *)r0; if (r9 != 0x0) { r8 = r0 + 0x1; do { r10 = r9 & 0xff; r9 = *(int8_t *)r8; r8 = r8 + 0x1; if (r10 == zero_extend_64(r1)) { asm { cinc w0, w0, eq }; } } while (r9 != 0x0); } return 0x0; } Android - NDK Professional tooling used

Slide 11

Slide 11 text

Tooling is not available (yet)! Flutter (even though some alternatives are starting to come up: https://github.com/Impact-I/reFlutter)

Slide 12

Slide 12 text

Closing Thoughts Obfuscating source code might be important to prevent your source code from being stolen or even modified Chosen Programming Language has a direct impact on the effectiveness of the obfuscation Assembly Languages (C/C++/Dart) > Java > JS Flutter is a good choice (temporarily) For native Android, using Java / Kotlin for highly sensitive code is discouraged

Slide 13

Slide 13 text

Build38 gives back! Build38 commits to maintain and contribute to o-MVLL, part of Open Obfuscator https://obfuscator.re/ Created by industry expert Romain Thomas https://romainthomas.fr Free, Open-Source obfuscation for everyone Supports Android NDK, iOS and Flutter

Slide 14

Slide 14 text

Marc Obrador CTO and Co-Founder [email protected] @marcobrador /in/marc-obrador Visit us at the booth #13 to know more Any questions?