Globally, 5.19 billion people use mobile phones, and 90 percent of their time is spent on apps. Despite the huge role mobile apps play in the economy, developers are often under pressure to deliver on short timelines. This often means mobile app security falls by the wayside – even until after a security event occurs. However, proactive security measures such as code obfuscation and other app hardening techniques can help protect applications before they’re published.
In this post, we’ll look at how bad actors exploit vulnerable apps, define obfuscation, and give you three code obfuscation techniques to try today.
Reverse engineering is the process of taking apart a man-made object to understand how it was built, or how it functions. In software, reverse engineering is often used for positive purposes, such as performing a security audit on a piece of software, or to ensure software integrates with other systems or software. But, it can also be used for malicious or damaging ends.
Mobile applications are particularly vulnerable to reverse engineering since they ‘live’ outside the secured network perimeter of the application publisher, which means they are easy to access. It is often as easy as a bad actor going to one of the public app stores and downloading the targeted application (often by identifying the ones that are most vulnerable and unprotected). Once it’s downloaded, a reverse engineer can use readily available tools to decompile or disassemble the application, in efforts to understand how it works.
The results of such efforts could include creating illegitimate copies of the software, stealing proprietary code, extracting information included in it, finding new but not yet released functionality, and more.
Code obfuscation is the process of making applications difficult or impossible to decompile or disassemble, and the retrieved application code more difficult for humans to parse. Obfuscation is part of a broader mobile application hardening strategy, which also includes runtime application self-protection (RASP), and more (we’ll elaborate on that later). The goal of code obfuscation is to prevent any unauthorized party from accessing and gaining insight into the logic of an application, which prevents them from extracting data, tampering with code, exploiting vulnerabilities, and more.
Code obfuscation is the standard technique to prevent hackers from decompiling or reverse engineering source code. Although code hardening is very effective when properly implemented, app security research conducted by Guardsquare found that the majority of Android financial services apps, retail apps and contact tracing apps for COVID-19 do not use the right amount or combination of obfuscation techniques.
While code obfuscation techniques range, the most common one – name obfuscation – is often used in isolation. However, drawing from a larger set of obfuscation and application hardening techniques will ensure that an application is properly protected against bad actors. Here are three important obfuscation techniques.
Developers tend to choose meaningful names for classes, functions, and variables. This improves the readability of their software and makes it easier to debug.
The name obfuscation security technique consistently replaces these names with meaningless alternatives (or seemingly meaningful names that are actually completely fake) throughout the app. While changing these names may make them less obvious, bad actors can still decipher the overall program logic or use common reverse engineering tools to figure out your source code with no trouble. That’s why layering name obfuscation with the other techniques (including the ones below) is critical.
Control flow obfuscation will alter the structure of a mobile app’s code without affecting functionality. It’s an essential step to increase the complexity of the program logic so that even decompilers will not be able to parse it.
For example, a basic “if” statement would get replaced by something much harder to understand. It’s like a book that becomes very difficult to read, since you have no clue where the sentence you’re reading belongs within the narrative. Is it from the beginning, middle, or end? With control flow obfuscation, it’s impossible to tell.
Arithmetic obfuscation will effectively harden all arithmetic calculations, by replacing them with mathematically equivalent, but more complex computations.
Besides the above described obfuscation techniques, developers should layer code hardening with multiple RASP techniques and real-time threat monitoring to secure their applications. RASP can detect runtime threats such as an application running on a rooted or jailbroken device, an attempt at modifying app behavior through hooking, etc. – and trigger the application to react in a pre-programmed manner (such as terminating a user session). What’s more, real-time threat monitoring can detect attacks on downloaded applications as they happen, so you can stop them and shore up your security defenses for future releases.