How to add Native Code Obfuscation to any iOS, Android app

This Knowledge Base article provides detailed information on Appdome’s no-code mobile app obfuscation, including detailed step-by-step instructions on how to implement TOTALCode Obfuscation in any iOS or Android app in seconds – no coding required.

About Code Obfuscation for iOS and Android Apps

In recent years, decompilers have reached a maturity level that allows recovering source code back from mobile apps with ease. Obfuscation has become a well established preventive measure developers use against static reverse engineering attempts.

What sets various obfuscation solutions apart is several things:

  1. Ease of use
    This can range from using specialized compilers to post-build tools.
  2. Performance
    Some obfuscation methods incur a performance penalty, while others do not impact performance at all.
  3. Reference threat level
    Since eventually all defenses can be broken, which indicates how good a defense is the amount of work, expertise, and time expected to break the defense.

To understand what TOTALCode™ Obfuscation means, we must understand two things:

  1. What does code mean in the context of an application?
  2. What is obfuscation?

The goal of obfuscation is to make the app harder to reverse engineer, understand, model, and derive meaning from the app or its source code.

What is Source Code?

Code is any form of information that executes business logic.

So for example, the part of a navigation application that computes the faster route between two points is code. In this example, this is a part of the application that’s inherent to its function. You might say that this is what makes your application stand out among all other navigation applications. And as such, you might want to protect that code.

Another example would be a mobile banking application, where the code is in charge of assembling the correct requests to the bank’s servers to request a list of all transactions.

For different platforms, and in different circumstances, what we just defined as code will be contained in different forms in the application. Mobile app obfuscation helps you keep your code secure and private.

Code location in iOS apps
  1. In native apps, the code is part of the application executable (C/C++/Objective-C/Swift)
  2. For hybrid apps such as Cordova or React Native apps, ‘code’ is in the form of Javascript, CSS, or HTML5 and usually is stored inside the app
  3. In Xamarin apps. which are written in C#, code is located in DLL files
Code location in Android apps:
  1. DEX files for compiled Java code (Java/Kotlin)
  2. Native code (C/C++)
  3. Javascript code
  4. DLL files for Xamarin Android apps (C#)

What is Code Obfuscation?

Obfuscation is the process of taking code, and transforming in a way that makes it difficult or infeasible for an attacker to understand, but still functions correctly.

Common techniques range from things as complex as changing the build tools to emit convoluted machine code to modifying names/labels in the code to make them unintelligible to the human eye.

However, not all forms of mobile app obfuscation are sufficient or even applicable to all types of code.

For example, modifying names and eliminating format in Javascript code (a process called minification) is not extremely effective as the code basically remains a text file, and multiple tools can easily reverse the build and compile process and turn machine or intermediate code back into source code.

Encrypting Javascript/DLL is a more effective way to secure that code. Of course, this requires a mechanism that would still allow encrypted files to function.

Alternatively, compile-time obfuscation is meaningless for an executable that already exists.

Applying Appdome’s binary code obfuscation will be more effective.

Appdome’s TOTALCode™ Obfuscation is intelligent and capable enough to match the correct form of obfuscation to the type of code that needs obfuscation.

3 Easy Steps to add Native Code Obfuscation for iOS and Android apps without coding

Please follow these 3 easy steps to implement binary code obfuscation in any iOS or Android app 

  1. Upload an Android or iOS App to Appdome’s no code security platform (.apk, .aab, or .ipa)
  2. In the Build Tab, under Security, under TOTALCode Obfuscation, Select Binary Code Obfuscation (for native apps) 
  3. Click Build My App

Congratulations! The app is now protected with native code obfuscation.

Other Obufscation features (optional):

 

Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to protect Android and iOS apps with binary code obfuscation. When an Appdome user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.

Prerequisites for Binary Code Obfuscation for native iOS and Android apps

Here’s what you need to build secured apps with Appdome Binary Code Obfuscation for native iOS and Android apps

No Coding Dependency

Using Appdome, there are no development or coding prerequisites to build secured apps with native code obfuscation. There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, and logic to the app automatically, with no manual development work at all.

How to Sign & Publish Secured Mobile Apps Built on Appdome  

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include 

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome. 

 How to Learn More

Check out other Appdome KBs related to Native Code Obfuscation:

  • Binary Code Obfuscation
    Obfuscating mobile apps modifies the application’s binary code to make it unrecognizable to reverse-engineering tools.
  • Flow Relocation
    Modify the application’s compiled code by hiding the logical flow of the code to make reverse engineering an arduous task, without impacting how the app functions.
  • Non-Native Code Obfuscation
    For applications that were developed using a non-native framework such as React-Native, Cordova, or Xamarin, Appdome obfuscates the non-native code. It’s worth noting that obfuscating non-native code is simply not achievable through manual code changes. This makes appdome the only solution on the market that can obfuscate non-native mobile apps comprehensively and effectively.
  • Strip Debug Information
    Eliminate all descriptive information from the application’s binaries. This information usually includes identifiers (variable and function names) and source code names/line numbers.
    Such information generally gets left inside the app after the build process.
  • Encrypt Strings and Resources
    Every application contains (embedded in its code) various string constants such as URLs, tokens, names of files, and so forth. These are a lucrative target for attackers as it gives them a very firm foot-hold on what a specific piece of code is responsible for, not to mention that some strings are valuable information in the own right (such as authentication tokens). Appdome locates those strings and additional resources, encrypts them, and makes sure they can only be accessed by the application itself. Naturally, if the application has been tampered with, Appdome will not allow access to those strings, thereby foiling attack attempts.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Dany Zatuchna

Have a question?

Ask an expert

ThomasMaking your security project a success!