How to Obfuscate Android & iOS Control Flows and Methods


Learn the 3 Easy Steps to Obfuscate Android & iOS Control Flows and Methods. Relocate Control Flows To Obscure the app Logic and prevent reverse enginering. No Code, No SDK.

This Knowledge Base article provides step-by-step instructions for using Appdome to add control flow relocation in mobile apps. Control flow relocation is one of the multiple methods you can use to obfuscate mobile apps.  You should obfuscate a mobile app as the first line of defense against reverse engineering – which hackers routinely do to: (1) learn how your app works (2) understand the app logic (3) find your app’s weak spots.  This article will take you 3 minutes to read, and 2 minutes to fix your app. And it applies to all Android and ioS apps no matter which framework you built the app in.

Background: why obfuscate mobile apps in the first place? 

In recent years, decompilers have reached a maturity level that allows recovering source code back from mobile apps with ease. Obfuscation has become a well established preventive measure developers use against static reverse engineering attempts. What sets various obfuscation solutions apart is several things: Ease of use (e.g., specialized compilers and post-build tools), Performance (i.e., performance penalty, if any) and the reference threat level.
Since eventually all defenses can be broken, which indicates how good a defense is the amount of work, expertise and time expected to break the defense.

We hope you find this knowledge base useful and enjoy using Appdome!

Appdome is no-code mobile security and mobile integration platform that allows users to add security features, like RASP, code obfuscation, data encryption and more, as well as mobile threat, mobile fraud, anti-bot, and other SDKs and APIs to Android and iOS apps. This KB describes how to use Appdome’s simple ‘click to build’ user interface to quickly and easily build Control Flow Relocation in any iOS and Android app in seconds without coding.

Using Appdome, there are no development or coding prerequisites. For example, there is no SDK, library, or plug-ins to implement. The Appdome technology adds Flow Relocation and relevant standards, frameworks, and more to the app automatically, with no manual development work at all.

Appdome’s Flow Relocation is a security feature that modifies a mobile app’s compiled code by obfuscating the logical control-flow of the app.  Appdome’s Flow-Relocation makes reverse engineering an arduous task while preserving the functionality and performance of the original app. Appdome with Flow-Relocation™ is compatible with mobile apps built in any development environment including Native Android and iOS apps, hybrid apps, and non-native apps built-in Xamarin, Cordova, and React Native, Ionic, and more. This streamlines implementations, cuts development work, and ensures a guaranteed and consistent integration of Flow-Relocation™ to any mobile app.

Control Flow Relocation in iOS Apps

In iOS, the application’s executable (see the structure of iOS applications) manifests as binary code. To make it un-parsable by reverse engineering tools, Appdome uses several techniques such as polymorphic unconditional branching in place of the original instructions so that the original instructions no longer appear in the application’s binary. This creates an appearance of spaghetti code which is extremely difficult to reverse engineer.

IMPORTANT: The feature is hardware-specific and only applies to ARM64 binaries. This means:

  1. Applications that do not have ARM64 support can not take advantage of Flow Relocation.
    This is in fact a remote use case as since iOS 11 (2017) there is no longer official support for ARMv7, meaning these applications will no longer work on contemporary devices.
  2. Applications with several architectures will be stripped to contain only ARM64. Keeping the other architectures will defeat the purpose of the obfuscation as the attacker can just try and reverse the non-obfuscated architecture’s code.

This feature works very well together with Binary Code Obfuscation to create an iron-clad anti-reversing shield for the application’s binary.

Control Flow Relocation in Android Apps.

In Android, compiled Java/Kotlin code resides in classes.dex files (see the structure of Android applications). The common toolbox to reverse engineer DEX files contains:  Disassemblers such as baksmali and dex2jar and decompilers such as jadx and jdgui. The purpose of control-flow relocation is to make these tools ineffective and even unusable. To do this, Appdome uses several techniques such as applying call obfuscation to the compiled Java code and modifying the function call targets to obscure functions. The original target of the function call is removed from the code and saved in an encrypted database. These obscure functions access the database to recover the original target of the call at run-time.

This obfuscation technique provides the following benefits:

  1. Trying to use offline reversing techniques on the application will fail as the “function tree” of the application will appear to be broken.
    For example, if for example, the application had the following functional path: login->verify-username->access-user-db, it will appear as two disconnected paths: login->a and verify-username->b. You will notice that access-user-db is not even referenced.
  2. The database access is highly optimized and performs without causing any slowdown to the application.
  3. Since the database is encrypted, it is protected by Appdome’s Anti-Tampering.
  4. In addition, any attempt to force this information out of the application using run-time methods will be met with Appdome’s Anti-Debugging.

If your application was developed using a non-native framework such as React-Native, Cordova or Xamarin, you might want to check out Non-Native Code Obfuscation.

If, on the other hand, your application has more native code in it, we recommend you check out Binary Code Obfuscation.

We are aware of course, that applications are not always perfect and there might be crashes here and there. We took special care when designing code flow relocation to make sure that the original flow is visible in the stack trace of Java exceptions.

This enables developers to quickly trace the source of a bug in the app, even when obfuscated.

Prerequisites for Using Appdome Flow Relocation

In order to use Appdome’s no-code implementation of Flow Relocation on Appdome, you’ll need:

How to add Control Flow Relocation to a Mobile App on Appdome

Follow these step-by-step instructions to add Appdome’s Flow Relocation to Any Mobile App:

Upload a Mobile App to Your Account

Please follow these steps to add a mobile app to your Appdome account.

If you don’t have an Appdome account, click here to create an account.

From the Build tab, Add Flow Relocation

Select the Build Tab.

Beneath the Build Tab, Select Security. Click to Open TOTALCode™ Obfuscation 

  1. Enable or Toggle “ON” Flow Relocation
  2. Optionally, enable Favor Loading Time (see below)
  3. Click Build My App

The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add the requested service to the mobile app in seconds.

Congratulations! When your integration is complete, you will see the notice below. You now have a mobile app fully integrated with Appdome’s Flow Relocation.


Favor Loading Time

Obfuscation decreases the efficiency of compression algorithms, so obfuscating all the code in the app may increase its loading time significantly. You can enable Favor Loading Time to automatically detect and optimize the obfuscation process of publicly available components to preserve the application loading time.

Please review this file to view all the libraries and files that will remain unobfuscated, with this toggle enabled.


After Adding Control Flow Relocation to the app

After you have added Flow Relocation to any Mobile App on Appdome, there are a few additional steps needed to complete your project.

Add Context™ to the Obfuscated App

Appdome is a full-featured mobile integration platform. Within Context™, Appdome users can brand the app, including adding a favicon to denote the new service added to the app.
For more information on the range of options available in Context™, please read this knowledge base article.

Sign the Obfuscated App (Required)

In order to deploy an Appdome-Built app, it must be signed. Signing the iOS app and Signing an Android app is easy using Appdome. Alternatively, you can use Private Signing, download your unsigned app and sign locally using your own signing methods.

Deploy the Obfuscated App to a Mobile Device

Once you have signed your Appdome-Built app, you can download it to deploy it using your distribution method of choice. For more information on deploying your Appdome-Built apps, please read this knowledge base.

That is it – Enjoy Appdome’s Flow Relocation in your app!

How Do I Learn More?

Flow Relocation is just one of the many features TOTALCode™ can offer in terms of code obfuscation.

If you have any questions, please send them our way at or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free

Dany Zatuchna

Have a question?

Ask an expert

GenerMaking your security project a success!

Get Your Copy
2021 Global Mobile
Consumer Security