Learn the 3 Easy Steps to Obfuscate Android & iOS Control Flows and Methods. Relocate Control Flows To Obscure the app Logic and prevent reverse enginering. No Code, No SDK.
This Knowledge Base article provides step-by-step instructions for using Appdome to add control flow relocation in mobile apps. Control flow relocation is one of the multiple methods you can use to obfuscate mobile apps. You should obfuscate a mobile app as the first line of defense against reverse engineering – which hackers routinely do to: (1) learn how your app works (2) understand the app logic (3) find your app’s weak spots. This article will take you 3 minutes to read, and 2 minutes to fix your app. And it applies to all Android and ioS apps no matter which framework you built the app in.
Background: why obfuscate mobile apps in the first place?
In recent years, decompilers have reached a maturity level that allows recovering source code back from mobile apps with ease. Obfuscation has become a well established preventive measure developers use against static reverse engineering attempts. What sets various obfuscation solutions apart is several things: Ease of use (e.g., specialized compilers and post-build tools), Performance (i.e., performance penalty, if any) and the reference threat level.
Since eventually all defenses can be broken, which indicates how good a defense is the amount of work, expertise and time expected to break the defense.
We hope you find this knowledge base useful and enjoy using Appdome!
Appdome is no-code mobile security and mobile integration platform that allows users to add security features, like RASP, code obfuscation, data encryption and more, as well as mobile threat, mobile fraud, anti-bot, and other SDKs and APIs to Android and iOS apps. This KB describes how to use Appdome’s simple ‘click to build’ user interface to quickly and easily build Control Flow Relocation in any iOS and Android app in seconds without coding.
Using Appdome, there are no development or coding prerequisites. For example, there is no SDK, library, or plug-ins to implement. The Appdome technology adds Flow Relocation and relevant standards, frameworks, and more to the app automatically, with no manual development work at all.
Appdome’s Flow Relocation is a security feature that modifies a mobile app’s compiled code by obfuscating the logical control-flow of the app. Appdome’s Flow-Relocation makes reverse engineering an arduous task while preserving the functionality and performance of the original app. Appdome with Flow-Relocation™ is compatible with mobile apps built in any development environment including Native Android and iOS apps, hybrid apps, and non-native apps built-in Xamarin, Cordova, and React Native, Ionic, and more. This streamlines implementations, cuts development work, and ensures a guaranteed and consistent integration of Flow-Relocation™ to any mobile app.
In iOS, the application’s executable (see the structure of iOS applications) manifests as binary code. To make it un-parsable by reverse engineering tools, Appdome uses several techniques such as polymorphic unconditional branching in place of the original instructions so that the original instructions no longer appear in the application’s binary. This creates an appearance of spaghetti code which is extremely difficult to reverse engineer.
IMPORTANT: The feature is hardware-specific and only applies to ARM64 binaries. This means:
This feature works very well together with Binary Code Obfuscation to create an iron-clad anti-reversing shield for the application’s binary.
In Android, compiled Java/Kotlin code resides in
classes.dex files (see the structure of Android applications). The common toolbox to reverse engineer DEX files contains: Disassemblers such as baksmali and dex2jar and decompilers such as jadx and jdgui. The purpose of control-flow relocation is to make these tools ineffective and even unusable. To do this, Appdome uses several techniques such as applying call obfuscation to the compiled Java code and modifying the function call targets to obscure functions. The original target of the function call is removed from the code and saved in an encrypted database. These obscure functions access the database to recover the original target of the call at run-time.
This obfuscation technique provides the following benefits:
login->verify-username->access-user-db, it will appear as two disconnected paths:
verify-username->b. You will notice that
access-user-dbis not even referenced.
If your application was developed using a non-native framework such as React-Native, Cordova or Xamarin, you might want to check out Non-Native Code Obfuscation.
If, on the other hand, your application has more native code in it, we recommend you check out Binary Code Obfuscation.
We are aware of course, that applications are not always perfect and there might be crashes here and there. We took special care when designing code flow relocation to make sure that the original flow is visible in the stack trace of Java exceptions.
This enables developers to quickly trace the source of a bug in the app, even when obfuscated.
In order to use Appdome’s no-code implementation of Flow Relocation on Appdome, you’ll need:
Follow these step-by-step instructions to add Appdome’s Flow Relocation to Any Mobile App:
Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.
Select the Build Tab.
Beneath the Build Tab, Select Security. Click to Open TOTALCode™ Obfuscation
The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add the requested service to the mobile app in seconds.
Congratulations! When your integration is complete, you will see the notice below. You now have a mobile app fully integrated with Appdome’s Flow Relocation.
Obfuscation decreases the efficiency of compression algorithms, so obfuscating all the code in the app may increase its loading time significantly. You can enable Favor Loading Time to automatically detect and optimize the obfuscation process of publicly available components to preserve the application loading time.
Please review this file to view all the libraries and files that will remain unobfuscated, with this toggle enabled.
After you have added Flow Relocation to any Mobile App on Appdome, there are a few additional steps needed to complete your project.
Appdome is a full-featured mobile integration platform. Within Context™, Appdome users can brand the app, including adding a favicon to denote the new service added to the app.
For more information on the range of options available in Context™, please read this knowledge base article.
In order to deploy an Appdome-Built app, it must be signed. Signing the iOS app and Signing an Android app is easy using Appdome. Alternatively, you can use Private Signing, download your unsigned app and sign locally using your own signing methods.
Once you have signed your Appdome-Built app, you can download it to deploy it using your distribution method of choice. For more information on deploying your Appdome-Built apps, please read this knowledge base.
That is it – Enjoy Appdome’s Flow Relocation in your app!
Flow Relocation is just one of the many features TOTALCode™ can offer in terms of code obfuscation.
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.