How to Obfuscate App Logic of an iOS or Android App
Learn 3 easy steps to Obfuscate App Logic of Android and iOS applications in order to prevent reverse engineering via static code analysis.
What is Static Code Analysis?
Static Code Analysis is a type of reverse engineering where an attacker attempts to analyze the source code of an iOS or Android application in order to understand what the source code does and how it does it – all without running the app. There are many tools, techniques and methods hackers use to analyze source code and the internal application logic. For example, hackers use freely available tools like Hopper, IDA-Pro, Ghidra (disassemblers) as well as APKTool, Dex2Jar, JD-GUI (decompilers) in order to covert binary code (which is not human-readable) back into assembly code or original source code (which human-readable) – all for the purpose of understanding the functionality of the code or to trace the logical execution path of the code (for instance by building a call-graph).
What is Code Obfuscation?
Code obfuscation is the act of deliberately obscuring the code of a mobile application in order to make it extremely difficult for humans to understand, and/or to defeat reverse engineering tools like decompilers and disassemblers. Obfuscation completely alters the code without impacting the functionality.
While there are many different methods and techniques to obfuscate mobile application code, Obfuscating App Logic is an effective way of preventing attackers from using static code analysis to understand the application’s logical flow, especially when combined with other obfuscation techniques such as binary code obfuscation and application shielding.
How to Obfuscate App Logic of Android and iOS apps
Obfuscate App Logic is one of the obfuscation methods available as part of Appdome’s TOTALCode Obfuscation solution. When customers enable Obfuscate App Logic, all application logic classes and methods will be obfuscated and renamed to random strings. Appdome automatically keeps open-source libraries non obfuscated. When combined with string encryption and Strip Debug Information, understanding what the code does is very difficult and impractical.
When you enable Appdome’s Obfuscate App Logic feature, the following protections are included automatically:
- Obfuscate Package Names – Obfuscates package and class names within the application’s business logic
- Obfuscate Dynamic Classes – Obfuscates (renames) classes to random strings.
- Obfuscate Dynamic Methods – Obfuscates (renames) methods to random strings.
- Obfuscate Linkages and Reflection – Supports obfuscation of classes and methods used in reflection and in JNI up-calls and down-calls.
- Obfuscate Crashes – Obfuscates methods and classes in crashes and stack traces
In addition, unlike 3rd party obfuscation solutions, Appdome handles Reflections and function names that are being called through JNI up-calls (from C/C++ to Java/Kotlin) and down-calls (from Java/Kotlin to C/C++).
The classes and methods are obfuscated in the crashes and stack traces, so an attacker will not be able to understand the names even if a crash is triggered.
Optionally, to facilitate debugging, a mapping file can be downloaded in order to de-obfuscate the crashes, logs, etc.
The mapping file can be downloaded either by clicking on the ‘Build History’ button and in the ‘App Workflow Summary’, if the app was built with Obfuscate App Logic, you will see a button for “Download Obfuscation Mapping Files”. This will download a zip file with two files:
- mapping.txt – a mapping file in the same format of ProGuard, and R8 format. Can be uploaded to GooglePlay, Crashlytics, Bugsnag, etc
- deobfuscate_mapping_script_<build id>.py – A python script that inputs any text file (crash log, stack trace, etc) and outputs a text file with all the obfuscated references de-obfuscated.
Note:The mapping zip file, can also be downloaded via Appdome’s REST API using https://fusion.appdome.com/api/v1/tasks/<task_id>/output?action=deobfuscation_script
3 Easy Steps to Obfuscate App Logic of Android and iOS apps
Please follow these 3 easy steps to Obfuscate App Logic of iOS and Android apps to prevent attackers from understanding the application’s control flows via static code analysis.
- Upload an Android or iOS app (.apk, .aab, or .ipa)
- In the Build Tab, under TOTALCode Obfuscation, toggle-on Obfuscate App Logic
- Click Build My App
- Optionally, you can choose to Exclude Specific Classes from being obfuscated:
Congratulations! Your mobile application’s logic is now obfuscated.
Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to Obfuscate App Logic. When an Appdome user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.
Here’s what you need to build secured apps with Obfuscate App Logic
- Appdome account (If you don’t have an Appdome account, create a free Appdome account here)
- A license to Obfuscate App Logic
- Mobile App
- Signing Credentials (e.g., signing certificates and provisioning profile)
No Coding Dependency
How to Sign & Publish Secured Mobile Apps Built on Appdome
After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:
- Signing Secure iOS and Android apps
- Customizing, Configuring & Branding Secure Mobile Apps
- Deploying/Publishing Secure mobile apps to Public or Private app stores
Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.
How to Learn More
Check out the following related KB articles:
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.
Or request a demo at any time.
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.