How to Obfuscate App Logic of an iOS or Android App

Learn 3 easy steps to Obfuscate App Logic of Android and iOS applications in order to prevent reverse engineering via static code analysis.

What is Static Code Analysis?

Static Code Analysis is a type of reverse engineering where an attacker attempts to analyze the source code of an iOS or Android application in order to understand what the source code does and how it does it – all without running the app. There are many tools, techniques and methods hackers use to analyze source code and the internal application logic. For example, hackers use freely available tools like Hopper, IDA-Pro, Ghidra (disassemblers) as well as APKTool, Dex2Jar, JD-GUI (decompilers) in order to covert binary code (which is not human-readable) back into assembly code or original source code (which human-readable) – all for the purpose of understanding the functionality of the code or to trace the logical execution path of the code (for instance by building a call-graph).

What is Code Obfuscation?

Code obfuscation is the act of deliberately obscuring the code of a mobile application in order to make it extremely difficult for humans to understand, and/or to defeat reverse engineering tools like decompilers and disassemblers. Obfuscation completely alters the code without impacting the functionality.

While there are many different methods and techniques to obfuscate mobile application code, Obfuscating App Logic is an effective way of preventing attackers from using static code analysis to understand the application’s logical flow, especially when combined with other obfuscation techniques such as binary code obfuscation and application shielding.

How to Obfuscate App Logic of Android and iOS apps

Obfuscate App Logic is one of the obfuscation methods available as part of Appdome’s TOTALCode Obfuscation solution. When customers enable Obfuscate App Logic, all application logic classes and methods will be obfuscated and renamed to random strings. Appdome automatically keeps open-source libraries non obfuscated.  When combined with string encryption and Strip Debug Information, understanding what the code does is very difficult and impractical.

When you enable Appdome’s Obfuscate App Logic feature, the following protections are included automatically:

  • Obfuscate Package NamesObfuscates package and class names within the application’s business logic
  • Obfuscate Dynamic Classes – Obfuscates (renames) classes to random strings.
  • Obfuscate Dynamic MethodsObfuscates (renames) methods to random strings.
  • Obfuscate Linkages and Reflection – Supports obfuscation of classes and methods used in reflection and in JNI up-calls and down-calls.
  • Obfuscate Crashes – Obfuscates methods and classes in crashes and stack traces

 

In addition, unlike 3rd party obfuscation solutions, Appdome handles Reflections and function names that are being called through JNI up-calls (from C/C++ to Java/Kotlin) and down-calls (from Java/Kotlin to C/C++).
The classes and methods are obfuscated in the crashes and stack traces, so an attacker will not be able to understand the names even if a crash is triggered.

Optionally, to facilitate debugging, a mapping file can be downloaded in order to de-obfuscate the crashes, logs, etc.
The mapping file can be downloaded either by clicking on the ‘Build History’ button and in the ‘App Workflow Summary’, if the app was built with Obfuscate App Logic, you will see a button for “Download Obfuscation Mapping Files”. This will download a zip file with two files:

  • mapping.txt – a mapping file in the same format of ProGuard, and R8 format. Can be uploaded to GooglePlay, Crashlytics, Bugsnag, etc
  • deobfuscate_mapping_script_<build id>.py – A python script that inputs any text file (crash log, stack trace, etc) and outputs a text file with all the obfuscated references de-obfuscated.

Download.appdome.obfuscation.mapping.file

Note:The mapping zip file, can also be downloaded via Appdome’s REST API using https://fusion.appdome.com/api/v1/tasks/<task_id>/output?action=deobfuscation_script

 

3 Easy Steps to Obfuscate App Logic of Android and iOS apps

Please follow these 3 easy steps to Obfuscate App Logic of iOS and Android apps to prevent attackers from understanding the application’s control flows via static code analysis.

  1. Upload an Android or iOS app (.apk, .aab, or .ipa)
  2. In the Build Tab, under TOTALCode Obfuscation, toggle-on Obfuscate App Logic 
  3. Click Build My App
    • Optionally, you can choose to Exclude Specific Classes from being obfuscated:

 

Obfuscation.mobile.app.logic

Congratulations! Your mobile application’s logic is now obfuscated.

Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to Obfuscate App Logic. When an Appdome user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.

Prerequisites

Here’s what you need to build secured apps with Obfuscate App Logic

No Coding Dependency

Using Appdome, there are no development or coding prerequisites to secure iOS and Android apps using Obfuscate App Logic. There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, and logic to the app automatically, with no manual development work at all.

How to Sign & Publish Secured Mobile Apps Built on Appdome  

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include 

 

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome. 

 How to Learn More

Check out the following related KB articles:

How to Obfuscate Non-Native Android & iOS Code and Frameworks

How to add Native Code Obfuscation to any iOS, Android app

How to Encrypt Java Class Files (.dex) in Android Apps

Appdome ONEShield Mobile App Hardening

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Or request a demo at any time.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

 

 

Alan Bavosa

Have a question?

Ask an expert

GilMaking your security project a success!

Get Your Copy
2021 Global Mobile
Consumer Security
Survey