How to Obfuscate Control Flows of an Android App Using Dex Relocation
Learn the 3 Easy Steps to Obfuscate Android Control Flows and Methods using Dex Relocation.
This Knowledge Base article provides step-by-step instructions for using Appdome to add Dex Relocation to protect Android apps against static code analysis and other forms of reverse engineering (where attackers attempt to analyze an application’s source code in order to derive meaning from the code and also to understand the application’s business logic). Control flow relocation is one of the multiple methods you can use to obfuscate mobile apps as a first line of defense.
Background: Why Code Obfuscation and Control Flow Obfuscation are Important
In recent years, decompilers have reached a maturity level that allows recovering source code back from mobile apps with ease. Obfuscation has become a well-established preventive measure developers use against static reverse engineering attempts. What sets various obfuscation solutions apart are several things: Ease of use (e.g., specialized compilers and post-build tools), Performance (i.e., performance penalty, if any) and the reference threat level.
Since eventually all defenses can be broken, which indicates how good a defense is the amount of work, expertise and time expected to break the defense.
Control Flow Relocation Protects Against Malicious Reverse Engineering such as Static Code Analysis
In Android, compiled Java/Kotlin code resides in
classes.dex files (see the structure of Android applications). The common toolbox to reverse engineer DEX files contains tools like Disassemblers (eg: baksmali and dex2jar) and decompilers (eg: jadx and JD-GUI) and many more. Appdome’s Dex Relocation is a security feature that modifies a mobile app’s compiled code by obfuscating the logical control-flow of the app. The purpose of control-flow relocation is to make reverse engineering tools ineffective and even unusable and to make the code difficult to trace and understand. To do this, Appdome uses several techniques such as applying call obfuscation to the compiled Java code and modifying the function call targets to obscure functions. The original target of the function call is removed from the code and saved in an encrypted database. The obscure functions access the database to recover the original target of the call at run time whenever it’s needed.
These obfuscation techniques provide the following benefits:
- Appdome features complement and reinforce each other, resulting in a stronger and more comprehensive defense.
- Trying to use offline reversing techniques on the application will fail as the “function tree” of the application will appear to be broken. For example, if the application had the following functional path:
login->verify-username->access-user-db, it might appear as two disconnected paths:
verify-username->b. You will notice that
access-user-dbis not even referenced.
- If the application has more native code in it, then you should consider Binary Code Obfuscation to obfuscate native code and libraries. Binary Code Obfuscation is very often implemented alongside Dex Relocation and would further increase the difficulty of reverse engineering.
- It’s also a recommended best practice to strip debug information in your production builds to prevent attackers from gaining clues about what your code does or how your app functions by analyzing debug logs and stack traces.
- The database access is highly optimized and does not impact the performance of the application or slow things down.
- Since the database is encrypted, it is protected by Appdome’s Anti-Tampering.
- In addition, any attempt to force this information out of the application using other dynamic reverse engineering methods will be thwarted by Appdome’s Anti-Debugging, Checksum Validation, and other ONEShield protections.
If your application was developed using non-native frameworks such as React-Native, Cordova or Xamarin, you should also consider adding Non-Native Code Obfuscation.
3 Easy Steps to Add Dex Relocation to any Android App
Please follow these 3 easy steps to implement Dex Relocation in Android apps.
- Upload an Android app (.apk, .aab)
- Navigate to Build > Security > TOTALCode™ Obfuscation Toggle “ON” Dex Relocation
- Optionally, you can enable Favor Loading Time (if you want to further optimize the application loading time).
- Click Build My App
Congratulations! Your Android app is now secured with Appdome Dex Relocation and much more.
Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to implement mobile app security with no coding. When an Appdome user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app. Appdome is compatible with mobile apps built in any development environment including Native Android and iOS apps, hybrid apps, and non-native apps built-in Xamarin, Cordova, and React Native, Ionic, and more. This streamlines implementations, cuts development work, and ensures a guaranteed and consistent protection model for the app.
Additional Notes on Dex Relocation: Performance and Troubleshooting
Obfuscation decreases the efficiency of compression algorithms, so obfuscating all the code in the app may increase its loading time. You can enable Favor Loading Time to automatically detect and optimize the obfuscation process of publicly available components to preserve the application loading time. Please review this file to view all the libraries and files that will remain unobfuscated if you enable Favor Loading Time.
We are aware of course, that applications are not always perfect and there might be crashes here and there. We took special care when designing code flow relocation to make sure that the original flow is visible in the stack trace of Java exceptions, which enables developers to quickly trace the source of a bug in the app, even when obfuscated.
Prerequisites for Dex Relocation
Here’s what you need to build secured apps with Dex Relocation
- Appdome account (If you don’t have an Appdome account, create a free Appdome account here)
- Mobile App
- Signing Credentials (e.g., signing certificates and provisioning profile)
No Coding Dependency
How to Sign & Publish Secured Mobile Apps Built on Appdome
After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:
- Signing Secure iOS and Android apps
- Customizing, Configuring & Branding Secure Mobile Apps
- Deploying/Publishing Secure mobile apps to Public or Private app stores
Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.
How to Learn More
Check out the following related KB articles:
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.
Or request a demo at any time.
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.