In AppSealing Blog

Mobile applications need protection in today’s day and age. Developing an app with cutting-edge features is not sufficient. Making it secure is equally important. Data tampering is rampant, and developers need to have security at the top of their checklists of major activities to be covered before making an application live. This is why android app obfuscation is important.

Android App Obfuscation 

It is the process of obscuring or changing the source code with the intention to protect it from the outside world. The aim is to modify the executable content while still ensuring that its original purpose is maintained, and it is fully functional. A hacker might, in the process, find it extremely difficult to decompile an application. This ensures protection of sensitive customer data. Many decompilers make it extremely easy for developers to reverse-engineer the source code of an application. This is where code obfuscation helps – to make reverse engineering or data tampering a little more difficult. 

How to Obfuscate Code in Android 

Obfuscating your code in Android is easy. In the simplest way, you have to go to your app/build.gradle file and set the minifyEnabled field to true. A quick look at the snippet:

android {

     buildTypes {

         release {

             minifyEnabled true

             proguardFiles getDefaultProguardFile(‘proguard-android.txt’)

         }

     }

 …

}

The other good option to try is to use the default or pre-created rules. You can also check the documentation for specific rules. A typical rule can be called in the following way:

android {

    buildTypes {

        release {

            minifyEnabled true

            proguardFiles getDefaultProguardFile(‘proguard-android.txt’),

            ‘proguard-rules.pro’

        }

    }

}

One more method that can help is renaming where variables and method names are renamed using strings, numbers, letters, invisible characters, or characters which cannot be printed. 

Control flow obfuscation is another method which can be used by developers to mix up the logic (or make it appear mixed up) so hackers can stay miles away from the code. It synthesizes conditional, iterative, and branching construction to produce valid, yet difficult-to-decipher executables. 

Dummy code insertion, as the name clearly suggests, is the practice of smartly inserting extra code segments that do not add any value but also do not impact the logic of the application/functionality. Another variation of this method is when unused code or metadata are removed (since they can easily explain the features when hacked). Opaque predicate insertion focuses on introducing conditional branches and incorrect code without impacting the functionality. 

Instruction pattern transformation is also sometimes used by developers to convert commonly known instructions to lesser-known ones to confuse or mislead the hackers. 

Some of the other popular and robust methods include anti-tamper and anti-debug where coders inject self-protection so that relevant alerts can be sent, or actions can be taken if tampering occurs. 

How Obfuscation Helps Prevent Security Incidents

Code replication helps companies get hold of pseudo codes which can ultimately make it easier for hackers to duplicate applications or copy sensitive data. These are predominantly called static analysis attacks and are used by attackers to break into the source code. With code obfuscation, companies can ensure an added layer of security and try to make it difficult for hackers to understand the logic or break into applications. 

Tools for Obfuscation

There are a number of tools in the market but here we take a look at the most commonly-known tools:

PreEmptive DashO 

It scores well on platform versatility and comes with quite a lot of useful features like renaming, string encryption, tamper detection, debug detection, watermarking and control flow. It provides complete technical support irrespective of the customer category and has a great UI. Its built-in rules help configure the settings swiftly. It supports many types of Jaya and Kotlin applications. 

GuardSquare’s ProGuard

Proguard has certain limited capabilities when compared to DexGuard since it is its lite version. Configuration, on the positive side, is easier and it also comes with some preinstalled configurations. Though the developer support is decent, additional controls might be required to move to DexGuard. It supports text-based configuration, only helps with renaming functionality and doesn’t score very well when it comes to UI. 

GuardSquare’s DexGuard

It works only on Java and has better features than the ProGuard version. The features are similar to what DashO offers (control flow, encryption, runtime checks etc.) It offers a multi-layered hardening approach and users can go for these “add-ons” on top of their packages. When it comes to support, it has “basic” and “gold” levels. Just like its lite version, it supports only text-based configuration. Developers can add API calls through its API-based features. 

Final Thoughts

Application development cannot be done in isolation. It requires a robust strategy to ensure that applications are good from both functionality and security perspectives. With code obfuscation, teams can protect their codes from hackers. Using smart techniques like the ones highlighted above, companies can ensure that their codes are a little more difficult to break into. This discourages most of the hackers as they can then move on to easier targets. With RASP, companies can protect their static as well as dynamic attempts to break into applications. It can be achieved in real time. This means security is provided round the clock. This means that if you forget to tick off security from your checklist, with AppSealing you still can have a backup plan. And that too a great one! Contact us to know how!

Govindraj Basatwar, Global Business Head
Govindraj Basatwar, Global Business Head
A Techo-Commerical evangelist who create, develop, and execute a clear vision for teams. Successfully created a SaaS business model with multi Million Dollar revenues globally. Proven leadership track record of establishing foreign companies in India with market entering strategy, business plan, sales, and business development activities.