Fortress Your App with Multi-Layered Code Obfuscation

From an attacker’s perspective, targeting a mobile app is similar to laying siege to a castle. They’ll start by analyzing the perimeter of the defenses or castle wall, often using static analysis, to identify potential weak points. Then, they’ll move on to hooking or another dynamic analysis technique to break through the weak point to compromise the app.

Code obfuscation is essentially the outer castle wall, defending against static analysis attempts. Its purpose and mission is to protect the inner workings of the app and, in turn, its potential weak points. Implementing multiple layers of defenses can stop attackers in their tracks and prevent them from easily exploiting the mobile application.

In this post, we’ll discuss the benefits of implementing multi-layered obfuscation. We’ll also cover some of the most common types of obfuscation and a few techniques specific to the Android and iOS platforms.

The Need for Multiple Reinforcing Obfuscation Techniques

At Guardsquare, our team of security experts is constantly researching the mobile threat landscape. Part of this research extends to understanding how companies are protecting their mobile applications. A mistake we commonly see is mobile app publishers relying on only one obfuscation technique.

We recognize two primary reasons mobile app developers aren’t implementing multi-layered obfuscation:

1. They believe one or two obfuscation techniques is truly enough to protect their app. The challenge with using, for example, only one obfuscation technique (commonly its name obfuscation) is that malicious actors can easily examine other parts of the code and learn enough to compromise the app.
2. They believe implementing additional obfuscation techniques will impact app performance. While this is true to some extent, obfuscation can and should be fine-tuned to only protect certain areas of the app that are security sensitive to minimize the performance impact.

While inadequate obfuscation may be putting mobile app publishers at risk, the good news is that implementing multiple layers of obfuscation can significantly improve their mobile app’s security posture without impacting app performance.

Reinforce Your App in Code Obfuscation

The key to implementing effective obfuscation is reinforcing the app with multiple obfuscation techniques. But here’s where and why that matters: the individual techniques reinforce each other. Here are some of the most important types of obfuscation:

• Name: Replacing the names of classes, fields, methods, and resources with meaningless alternatives makes the code more difficult to understand. But once the app is decompiled other areas can still be exposed, so this becomes more powerful when combined with other techniques.
• String Encryption: Encryption is one of the strongest defenses against static analysis because the encrypted code is only decrypted on-the-fly during runtime. That means API keys, authentication tokens, and other sensitive strings are difficult for malicious actors to recover using static analysis tools.
• Control Flow: Scrambling an application’s control flow without impacting its functionality makes it much more difficult to reverse engineer. That’s because it’s possible to alter the application code structure to make it more logically complex.
• Data Transformations: Transforming data constants, as well as the arithmetic and logical operators for those values to more complex mathematical equivalents, can dramatically slow the efforts of reverse engineers. This is because the data values and the code that makes use of them are transformed and entangled for stronger protection.

Along with the previous types of obfuscation – which are some of the most common techniques – there are certain tactics that can only be implemented on a particular platform.

• Android: On the Android platform, it’s possible to encrypt sections of code, resources, and assets. It’s also possible to use code virtualization as a strong outer protection layer by generating a virtual machine that interprets a randomized instruction set from the original code.
• iOS: On the iOS platform, it’s possible to use method call lowering to protect against swizzling. Method swizzling is an attack that involves changing the implementation of a selector at runtime to execute malicious code. This is a risk for languages like Objective-C and Swift, which utilize dynamic dispatch at runtime.

Multi-Layered Code Obfuscation with Guardsquare

Guardsquare’s DexGuard and iXGuard solutions are built to fortify apps with multiple layers of obfuscation. Along with implementing a wide range of obfuscation types, Guardsquare is constantly adding new techniques to improve the effectiveness of the hardening measures. By going both deeper and wider, comprehensive obfuscation can effectively prevent static analysis attempts.

In addition, AppSweep is a mobile app security testing solution that can detect potential weaknesses in an app before attackers can. Built on the ProGuard open source technology, Guardsquare is continuously improving the tool to better evaluate and identify potential pitfalls that could be further exploited with both static and dynamic analysis.