How to Obfuscate App Logic of an iOS or Android App

Learn 3 easy steps to Obfuscate App Logic of Android and iOS applications in order to prevent reverse engineering via static code analysis.

What is Static Code Analysis?

Static Code Analysis is a type of reverse engineering where an attacker attempts to analyze the source code of an iOS or Android application in order to understand what the source code does and how it does it – all without running the app. There are many tools, techniques and methods hackers use to analyze source code and the internal application logic. For example, hackers use freely available tools like Hopper, IDA-Pro, Ghidra (disassemblers) as well as APKTool, Dex2Jar, JD-GUI (decompilers) in order to covert binary code (which is not human-readable) back into assembly code or original source code (which human-readable) – all for the purpose of understanding the functionality of the code or to trace the logical execution path of the code (for instance by building a call-graph).

What is Code Obfuscation?

Code obfuscation is the act of deliberately obscuring the code of a mobile application in order to make it extremely difficult for humans to understand, and/or to defeat reverse engineering tools like decompilers and disassemblers. Obfuscation completely alters the code without impacting the functionality.

While there are many different methods and techniques to obfuscate mobile application code, Obfuscating App Logic is an effective way of preventing attackers from using static code analysis to understand the application’s logical flow, especially when combined with other obfuscation techniques such as binary code obfuscation and application shielding.

How to Obfuscate App Logic of Android and iOS apps

Obfuscate App Logic is one of the obfuscation methods available as part of Appdome’s TOTALCode Obfuscation solution. When customers enable Obfuscate App Logic, all application logic classes and methods will be obfuscated and renamed to random strings. Appdome automatically keeps open-source libraries non obfuscated.  When combined with string encryption and Strip Debug Information, understanding what the code does is very difficult and impractical.

When you enable Appdome’s Obfuscate App Logic feature, the following protections are included automatically:

• Obfuscate Package Names – Obfuscates package and class names within the application’s business logic
• Obfuscate Dynamic Classes – Obfuscates (renames) classes to random strings.
• Obfuscate Dynamic Methods – Obfuscates (renames) methods to random strings.
• Obfuscate Linkages and Reflection – Supports obfuscation of classes and methods used in reflection and in JNI up-calls and down-calls.
  
• Obfuscate Crashes – Obfuscates methods and classes in crashes and stack traces

In addition, unlike 3rd party obfuscation solutions, Appdome handles Reflections and function names that are being called through JNI up-calls (from C/C++ to Java/Kotlin) and down-calls (from Java/Kotlin to C/C++).
The classes and methods are obfuscated in the crashes and stack traces, so an attacker will not be able to understand the names even if a crash is triggered.

Optionally, to facilitate debugging, a mapping file can be downloaded in order to de-obfuscate the crashes, logs, etc.
The mapping file can be downloaded either by clicking on the ‘Build History’ button and in the ‘App Workflow Summary’, if the app was built with Obfuscate App Logic, you will see a button for “Download Obfuscation Mapping Files”. This will download a zip file with two files:

• mapping.txt – a mapping file in the same format of ProGuard, and R8 format. Can be uploaded to GooglePlay, Crashlytics, Bugsnag, etc
• deobfuscate_mapping_script_<build id>.py – A python script that inputs any text file (crash log, stack trace, etc) and outputs a text file with all the obfuscated references de-obfuscated.

Note:The mapping zip file, can also be downloaded via Appdome’s REST API using https://fusion.appdome.com/api/v1/tasks/<task_id>/output?action=deobfuscation_script

3 Easy Steps to Obfuscate App Logic of Android and iOS apps

Please follow these 3 easy steps to Obfuscate App Logic of iOS and Android apps to prevent attackers from understanding the application’s control flows via static code analysis.

1. Upload an Android or iOS app (.apk, .aab, or .ipa)
2. In the Build Tab, under TOTALCode Obfuscation, toggle-on Obfuscate App Logic 
3. Click Build My App

• • Optionally, you can choose to Exclude Specific Classes from being obfuscated:

Alan Bavosa