Going Beyond Obfuscation: Advanced Techniques for Protecting Android Apps

@sp4ghetticode / spght.dev Going Beyond Obfuscation Advanced Techniques for Protecting
Android Apps Ed Holloway-George | Droidcon London 2025 |

@sp4ghetticode / spght.dev Who am I? • Mobile Lead @
Kraken 💚🌍 Go see John O’Reilly’s KMP/CMP talk tomorrow @ 14:55! • Android Google Dev Expert • I like to talk about mobile security a lot • Available on social media platforms (dog pics available) • Thanks for coming along & I hope you learn something new Introduction

@sp4ghetticode / spght.dev (So you don’t get in trouble) •
This content is educational • Test your own apps only • Always speak to your cyber security team and/or expert beforehand • Be a good developer 💚 • Don’t do anything illegal! A quick reminder…

@sp4ghetticode / spght.dev Let’s talk about… Obfuscation on Android

@sp4ghetticode / spght.dev “The practice of creating code that is
intentionally difficult for humans or computers to understand” Obfuscation What is it?

@sp4ghetticode / spght.dev Obfuscation In practice Source Code Tooling Obfuscated
Output

@sp4ghetticode / spght.dev Obfuscation In practice

@sp4ghetticode / spght.dev Obfuscation In practice github.com/skylot/jadx

@sp4ghetticode / spght.dev History Lesson

@sp4ghetticode / spght.dev ProGuard In the beginning… Eric Lafortune @
Droidcon London 2014 • Initially released in 2002 for Java obfuscation / minification • Became a key part of the early Android ecosystem • Optimised and obfuscated Java bytecode before the step of converting to Dalvik bytecode • Configured via ‘rules’ • ’DexGuard’ is an enterprise solution with many enhanced features offered by GuardSquare (Go say hello!) / Image Source: Flickr

@sp4ghetticode / spght.dev R8 Present Day • D8 and R8
arrived as standard tooling in 2018 - Android Studio 3.0 • D8 replaced the old DX compiler for dexing • R8 is just D8 ‘on steroids’ • R8 provides additional shrinking, minification and obfuscation • Uses ProGuard’s configuration syntax It’s me! / Image Source: Androidify

@sp4ghetticode / spght.dev in Android World Obfuscation

@sp4ghetticode / spght.dev in Android World Obfuscation NOW WITH EXTRA
MISSING STEPS

@sp4ghetticode / spght.dev android { buildTypes { release { isMinifyEnabled
= true proguardFiles( getDefaultProguardFile("proguard-android-optimize.txt"), "proguard-rules.pro" ) } } } app/build.gradle.kts

@sp4ghetticode / spght.dev # Example File (Do not use!) -verbose
-allowaccessmodification -repackageclasses -keepclassmembers enum * { public static **[] values(); public static ** valueOf(java.lang.String); } -keep class * implements android.os.Parcelable { public static final android.os.Parcelable$Creator *; } app/proguard-rules.pro

@sp4ghetticode / spght.dev

@sp4ghetticode / spght.dev But, is this actually any good?

@sp4ghetticode / spght.dev Yay or nay? Standard Android Obfuscation Tooling
✅ Tooling integrated into ecosystem ✅ Simple to enable ✅ Provides basic protection against primitive reverse engineering ✅ Provide other benefits such as minification ✅ Arguably ‘good enough’ for some apps 😅 Rules often written poorly and hard to test quickly 😅 Fundamentally, does not make reverse engineering impossible 😅 R8/ProGuard aren’t security tools! 😅 Don’t obfuscate code’s control- flow 😅 They don’t prevent or detect dynamic attacks when your app runs

@sp4ghetticode / spght.dev What else can we do and why
should we? Going Beyond Obfuscation ✅ Move any secrets / business logic out of the app! ✅ Threat Monitoring ✅ Implement a ‘know your customer’ style flow ✅ Protect ourselves against dynamic attacks with RASP 🤔 What are the risks to your app/business? 💡 Your IP 💡 Financial 💡 Reputational 💡 Customer Data

@sp4ghetticode / spght.dev Let’s talk about… RASP

@sp4ghetticode / spght.dev “Runtime Application Self-Protection is code that provides
multiple defences against dynamic attacks, at runtime” RASP What is it?

@sp4ghetticode / spght.dev Dynamic Attacks Like what? • Binary Tampering
• Code modification / injection • Repackaged with a new certificate • Exploiting a debuggable app • Running on virtual environments / emulators • Using root to do ‘funky things’™ • Using hooking frameworks

@sp4ghetticode / spght.dev Dynamic Attacks Common Examples / Image Source(s):
Malwarebytes / Twitter

• Code modification / injection • Repackaged with a new certificate • Exploiting a debuggable app • Running on virtual environments / emulators • Using root to do ‘funky things’™ • Using hooking frameworks

• Code modification / injection • Repackaged with a new certificate • Exploiting a debuggable app • Running on virtual environments / emulators • Using root to do ‘funky things’™ • Using hooking frameworks RASP✨

@sp4ghetticode / spght.dev Let’s look at… Binary Tampering

@sp4ghetticode / spght.dev Binary Tampering My Friendly App

@sp4ghetticode / spght.dev Binary Tampering My Friendly App A malicious
actor…

@sp4ghetticode / spght.dev Binary Tampering Decoding apktool.org

@sp4ghetticode / spght.dev Binary Tampering Decoding Output(s)

@sp4ghetticode / spght.dev source.android.com/docs Read the docs Binary Tampering Smali

@sp4ghetticode / spght.dev 😈 An Attackers Cheatsheet 🤔 Remove license
checks 🤔 Bypass paywalls 🤔 Modify behaviour 🤔 Add malware 🤔 ??? 🤔 Do bad things. Binary Tampering Smali Modification

@sp4ghetticode / spght.dev Binary Tampering Repackaging

@sp4ghetticode / spght.dev / Image Source: Gemini Binary Tampering Attack
of the Clones

@sp4ghetticode / spght.dev An innocent user / Image Source: Gemini
Binary Tampering Attack of the Clones

@sp4ghetticode / spght.dev Binary Tampering Defence #1 - Integrity Checks
• We need to be confident our app hasn’t been modified • Check CRC hashes of critical files against known values

✅ 1529977198 ❌ 1836748125

✅ 1529977198 ❌ 1836748125 Tampering detected? Resolution: Block app launch!

@sp4ghetticode / spght.dev Binary Tampering Defence #2 - Certificate Verification
An attacker will sign their clone with a different key How can we detect this?

Gist available: gist.github.com/ed-george

@sp4ghetticode / spght.dev Binary Tampering ✅ AB:CD:EF… ❌ BA:DE:D0… Tampering
detected? Resolution: Block app launch (again)! Defence #2 - Certificate Verification

@sp4ghetticode / spght.dev Binary Tampering Defence #3 - Embedded Dex
(Android 10+) • As of Android 4.4 / 5.0 ART used pre- processing and ahead-of-time (AOT) compilation • Flag tells ART to go revert to old approach • No pre-processing • JIT compilation • Only use the DEX files packaged in the APK • ⚠ Performance Penalty!

@sp4ghetticode / spght.dev Let’s look at… Untrusted Environments

@sp4ghetticode / spght.dev Untrusted Environments

@sp4ghetticode / spght.dev Untrusted Environments Untrusted devices increases exposure to:
• Tampering • Traffic interception • Etc. How can we detect this?

@sp4ghetticode / spght.dev • Attestation • “An official verification of
something as true or authentic” • Play Integrity API / Firebase App Check • Ensures legitimate device access • No EMUs / etc. • Blocks malicious requests / Source: Safeguarding user security on Android (IO/24) youtu.be/RccJYep2v5I Untrusted Environments Defence #1 - Device Attestation

@sp4ghetticode / spght.dev • Detect if a user has a
rooted device • But, root detection is difficult • Not always as simple as checking for specific files/ folders • Cat & Mouse game 😼🐭 Untrusted Environments Defence #2 - Root Detection

@sp4ghetticode / spght.dev Root Detection in a nutshell • Look
for specific known files • See if specific root apps are on-device • Check for disabled security settings • Attempt to run a command as root • ??? • Hope you are ahead of the game! Untrusted Environments Defence #2 - Root Detection

@sp4ghetticode / spght.dev • TL;DR - Don’t run your own
solution • Great enterprise solutions exist ✨💸 • Go meet them at their booths! • Free solutions too! • Play Integrity API • github.com/scottyab/rootbeer (old!) • github.com/talsec/Free-RASP-Community (new-er!) Untrusted Environments Defence #2 - Root Detection

@sp4ghetticode / spght.dev Untrusted Environment detected? Resolution: Warn users /
Degrade Experience / Report Untrusted Environments

@sp4ghetticode / spght.dev Let’s look at… Anti-Debugging / Hooking

@sp4ghetticode / spght.dev • Modify app execution during runtime •
Frida is the defacto framework used • Can be used to: • Read/Write variables • Run custom code • e.g. Root Detection Bypass, Modify Networking Endpoints, etc… Anti-Debugging / Hooking Hooking

@sp4ghetticode / spght.dev Anti-Debugging / Hooking Jump from hooked method
Jump back to app Run custom instructions

@sp4ghetticode / spght.dev Anti-Debugging / Hooking Video available on Droidcon

@sp4ghetticode / spght.dev Defence #1 - Detect Hooking Anti-Debugging /
Hooking • Detect if a user has a hooking frameworks running • Again this is difficult • Check for common file(s) / processes • Iterate over TCP ports and check if they respond • Check for code modifications in memory • Easy(ish) for Native Libs • Very hard for Java/Kotlin code

@sp4ghetticode / spght.dev Hooks detected? Resolution: Hard-fail / Degrade Features
/ Report Anti-Debugging / Hooking

@sp4ghetticode / spght.dev • Trivial to patch manifest with android:debuggable
• Then enabling ro.debuggable system property to allow debugging for all apps • Allows attackers to: • Analyse control flow • Set breakpoints • Inspect variables • Modify memory Anti-Debugging / Hooking Debugging

@sp4ghetticode / spght.dev • Easy Mode: • Programatically check the
manifest android:debuggable flag • Use Android’s own Debug class methods Anti-Debugging / Hooking Defence #2 - Detect Debugging

@sp4ghetticode / spght.dev • Expert Mode: • Attempt to detect
debug thread activity • Crash debuggers via modifying JDWP native data structures • Check for tracer process ids Anti-Debugging / Hooking Defence #2 - Detect Debugging Read more via OWASP MASTG

@sp4ghetticode / spght.dev What else could RASP do?

@sp4ghetticode / spght.dev More RASP ideas! i.e. The stuff I
just don’t have time for today • Detect sensor spoofing (e.g. location) • Detect app install location (e.g. Play Store) • Detect screen-sharing / screenshot capture • Certificate Pinning / Transparency • Listening for VPN usage

@sp4ghetticode / spght.dev Ok sure, but is that still actually
any good?

@sp4ghetticode / spght.dev / Image Source: Wikipedia CC BY-SA 4.0
The Swiss Cheese Model

The Swiss Cheese Model Tamper Detection Obfuscation Anti-Hooking

The Swiss Cheese Model More cheese; Less problems Tamper Detection Obfuscation Anti-Hooking

@sp4ghetticode / spght.dev In summary…

@sp4ghetticode / spght.dev What’s next? Your plan to go beyond
obfuscation! • Remember default obfuscation isn’t foolproof • Look to go beyond obfuscation ✨ • Use device attestation • Detect rooted devices and hooking frameworks • Check your signing certificate(s) • Look for changes in critical file’s hashes

@sp4ghetticode / spght.dev • OWASP MSVS-RESILIENCE • HackTricks - Mobile
Pentesting • Talsec’s freeRASP • GuardSquare / Promon / Zimperium / etc - blogs • Checkout the other (maybe better?!) security talks at Droidcon today/tomorrow! Want to learn more?

@sp4ghetticode / spght.dev spght.dev/talks For more in-depth Mobile Security talks/blogs

@sp4ghetticode / spght.dev That’s all folks With special thanks to
Ryan Lloyd & GuardSquare 💚

@sp4ghetticode / spght.dev EOF spght.dev/talks

Going Beyond Obfuscation: Advanced Techniques f...

Going Beyond Obfuscation: Advanced Techniques for Protecting Android Apps

More Decks by Ed Holloway-George

Other Decks in Technology

Featured

Transcript