Learn the 3 Easy Steps to Obfuscate Android Control Flows and Methods using Dex Relocation.
This Knowledge Base article provides step-by-step instructions for using Appdome to add Dex Relocation to protect Android apps against static code analysis and other forms of reverse engineering (where attackers attempt to analyze an application’s source code in order to derive meaning from the code and also to understand the application’s business logic). Control flow relocation is one of the multiple methods you can use to obfuscate mobile apps as a first line of defense.
In recent years, decompilers have reached a maturity level that allows recovering source code back from mobile apps with ease. Obfuscation has become a well-established preventive measure developers use against static reverse engineering attempts. What sets various obfuscation solutions apart are several things: Ease of use (e.g., specialized compilers and post-build tools), Performance (i.e., performance penalty, if any) and the reference threat level.
Since eventually all defenses can be broken, which indicates how good a defense is the amount of work, expertise and time expected to break the defense.
In Android, compiled Java/Kotlin code resides in
classes.dex files (see the structure of Android applications). The common toolbox to reverse engineer DEX files contains tools like Disassemblers (eg: baksmali and dex2jar) and decompilers (eg: jadx and JD-GUI) and many more. Appdome’s Dex Relocation is a security feature that modifies a mobile app’s compiled code by obfuscating the logical control-flow of the app. The purpose of control-flow relocation is to make reverse engineering tools ineffective and even unusable and to make the code difficult to trace and understand. To do this, Appdome uses several techniques such as applying call obfuscation to the compiled Java code and modifying the function call targets to obscure functions. The original target of the function call is removed from the code and saved in an encrypted database. The obscure functions access the database to recover the original target of the call at run time whenever it’s needed.
These obfuscation techniques provide the following benefits:
login->verify-username->access-user-db, it might appear as two disconnected paths:
verify-username->b. You will notice that
access-user-dbis not even referenced.
If your application was developed using non-native frameworks such as React-Native, Cordova or Xamarin, you should also consider adding Non-Native Code Obfuscation.
Please follow these 3 easy steps to implement Dex Relocation in Android apps.
Congratulations! Your Android app is now secured with Appdome Dex Relocation and much more.
Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to implement mobile app security with no coding. When an Appdome user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app. Appdome is compatible with mobile apps built in any development environment including Native Android and iOS apps, hybrid apps, and non-native apps built-in Xamarin, Cordova, and React Native, Ionic, and more. This streamlines implementations, cuts development work, and ensures a guaranteed and consistent protection model for the app.
Obfuscation decreases the efficiency of compression algorithms, so obfuscating all the code in the app may increase its loading time. You can enable Favor Loading Time to automatically detect and optimize the obfuscation process of publicly available components to preserve the application loading time. Please review this file to view all the libraries and files that will remain unobfuscated if you enable Favor Loading Time.
We are aware of course, that applications are not always perfect and there might be crashes here and there. We took special care when designing code flow relocation to make sure that the original flow is visible in the stack trace of Java exceptions, which enables developers to quickly trace the source of a bug in the app, even when obfuscated.
Here’s what you need to build secured apps with Dex Relocation
After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:
Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.
Check out the following related KB articles:
If you have any questions, please send them our way at email@example.com or via the chat window on the Appdome platform.
Or request a demo at any time.
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.