How to Obfuscate Control Flows of an Android App Using Dex Relocation

Learn the 3 Easy Steps to Obfuscate Android Control Flows and Methods using Dex Relocation.

This Knowledge Base article provides step-by-step instructions for using Appdome to add Dex Relocation to protect Android apps against static code analysis and other forms of reverse engineering (where attackers attempt to analyze an application’s source code in order to derive meaning from the code and also to understand the application’s business logic).  Control flow relocation is one of the multiple methods you can use to obfuscate mobile apps as a first line of defense.

Background: Why Code Obfuscation and Control Flow Obfuscation are Important

In recent years, decompilers have reached a maturity level that allows recovering source code back from mobile apps with ease. Obfuscation has become a well-established preventive measure developers use against static reverse engineering attempts. What sets various obfuscation solutions apart are several things: Ease of use (e.g., specialized compilers and post-build tools), Performance (i.e., performance penalty, if any) and the reference threat level.
Since eventually all defenses can be broken, which indicates how good a defense is the amount of work, expertise and time expected to break the defense.

Control Flow Relocation Protects Against Malicious Reverse Engineering such as Static Code Analysis

In Android, compiled Java/Kotlin code resides in classes.dex files (see the structure of Android applications). The common toolbox to reverse engineer DEX files contains tools like Disassemblers (eg: baksmali and dex2jar) and decompilers (eg:  jadx and JD-GUI) and many more. Appdome’s Dex Relocation is a security feature that modifies a mobile app’s compiled code by obfuscating the logical control-flow of the app. The purpose of control-flow relocation is to make reverse engineering tools ineffective and even unusable and to make the code difficult to trace and understand. To do this, Appdome uses several techniques such as applying call obfuscation to the compiled Java code and modifying the function call targets to obscure functions. The original target of the function call is removed from the code and saved in an encrypted database. The obscure functions access the database to recover the original target of the call at run time whenever it’s needed.

These obfuscation techniques provide the following benefits:

  1. Appdome features complement and reinforce each other, resulting in a stronger and more comprehensive defense.
  2. Trying to use offline reversing techniques on the application will fail as the “function tree” of the application will appear to be broken. For example, if the application had the following functional path: login->verify-username->access-user-db, it might appear as two disconnected paths: login->a and verify-username->b. You will notice that access-user-db is not even referenced.
  3. If the application has more native code in it, then you should consider Binary Code Obfuscation to obfuscate native code and libraries. Binary Code Obfuscation is very often implemented alongside Dex Relocation and would further increase the difficulty of reverse engineering.
  4. It’s also a recommended best practice to strip debug information in your production builds to prevent attackers from gaining clues about what your code does or how your app functions by analyzing debug logs and stack traces.
  5. The database access is highly optimized and does not impact the performance of the application or slow things down.
  6. Since the database is encrypted, it is protected by Appdome’s Anti-Tampering. 
  7. In addition, any attempt to force this information out of the application using other dynamic reverse engineering methods will be thwarted by Appdome’s Anti-Debugging, Checksum Validation, and other ONEShield protections.

If your application was developed using non-native frameworks such as React-Native, Cordova or Xamarin, you should also consider adding Non-Native Code Obfuscation.

 

3 Easy Steps to Add Dex Relocation to any Android App

Please follow these 3 easy steps to implement Dex Relocation in Android apps. 

  1. Upload an Android app (.apk, .aab)
  2. Navigate to Build > Security > TOTALCode™ Obfuscation Toggle “ON” Dex Relocation 
    • Optionally, you can enable Favor Loading Time (if you want to further optimize the application loading time).
  3. Click Build My App

Dex.relocation.obfuscate.control.flow

Congratulations! Your Android app is now secured with Appdome Dex Relocation and much more.

appdome fusion success message

 

Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to implement mobile app security with no coding. When an Appdome user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app. Appdome is compatible with mobile apps built in any development environment including Native Android and iOS apps, hybrid apps, and non-native apps built-in Xamarin, Cordova, and React Native, Ionic, and more. This streamlines implementations, cuts development work, and ensures a guaranteed and consistent protection model for the app.

Additional Notes on Dex Relocation: Performance and Troubleshooting

Obfuscation decreases the efficiency of compression algorithms, so obfuscating all the code in the app may increase its loading time. You can enable Favor Loading Time to automatically detect and optimize the obfuscation process of publicly available components to preserve the application loading time. Please review this file to view all the libraries and files that will remain unobfuscated if you enable Favor Loading Time.

We are aware of course, that applications are not always perfect and there might be crashes here and there. We took special care when designing code flow relocation to make sure that the original flow is visible in the stack trace of Java exceptions, which enables developers to quickly trace the source of a bug in the app, even when obfuscated.

Appdome’s Dex Relocation feature changes the app’s logical flows, but does not rename variables, functions, classes, methods. Therefore no mapping file or script is required for troubleshooting.
However, if you implement other Appdome obfuscation features, such as Obfuscate App Logic, where function/method calls, classes and packages are renamed dynamically, then you can obtain a mapping file from the Build History within your Appdome account.

Prerequisites for Dex Relocation

Here’s what you need to build secured apps with Dex Relocation

No Coding Dependency

Using Appdome, there are no development or coding prerequisites to secure iOS and Android apps using Dex Relocation. There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, and logic to the app automatically, with no manual development work at all.

How to Sign & Publish Secured Mobile Apps Built on Appdome

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include

 

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.

 How to Learn More

Check out the following related KB articles:

How to Obfuscate Non-Native Android & iOS Code and Frameworks

How to add Native Code Obfuscation to any iOS, Android app

How to Encrypt Java Class Files (.dex) in Android Apps

Appdome ONEShield Mobile App Hardening

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Or request a demo at any time.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

 

Alan Bavosa

Have a question?

Ask an expert

EvgenyMaking your security project a success!

Get Your Copy
2021 Global Mobile
Consumer Security
Survey