How to Encrypt Java Class Files (.dex) in Android Apps

Learn how to encrypt DEX Files (Java Classes) in Android apps.

In recent years, decompilers have reached a maturity level that allows recovering source code from mobile app binaries with ease. Obfuscation has become a well-established preventive measure developers use against static reverse engineering attempts. There are several ways to implement obfuscation, but various obfuscation solutions differ in several things: Ease of use (e.g., specialized compilers and post-build tools), Performance (i.e., performance penalty, if any) and the reference threat level.

Since eventually all defenses can be broken, the quality of a good defense is measured by the amount of work, expertise and time needed to break the defense.

This Knowledge Base article provides step-by-step instructions for using Appdome to encrypt Java Class files (.dex) in Android apps.

We hope you find this knowledge base useful and enjoy using Appdome!

About DEX File Encryption 

Appdome is a no-code mobile security and development platform that enables anybody to add a wide variety of security features, SDKs and APIs to Android and iOS applications. Using a simple ‘click to add’ user interface, anyone can easily encrypt Android Java Class files (.dex)  in seconds, no-code or coding required.

Appdome’s DEX File Encryption is a security feature that encrypts the mobile app’s compiled Java code and decrypts it at run-time.  Appdome’s DEX File Encryption, combined with other obfuscation features, makes reverse engineering an arduous task while preserving the functionality and performance of the original app. Appdome’s is compatible with mobile apps built in any development environment including Native Android apps, hybrid apps, and non-native apps built-in Xamarin, Cordova, and React Native, Ionic and more. This streamlines implementations, cuts development work, and ensures a guaranteed and consistent implementation of Appdome’s DEX File Encryption to any mobile app.

Why Encrypt DEX Files (Java Classes) in Android apps? 

In Android, compiled Java/Kotlin code resides in classes.dex files (see structure of Android applications). The common tools to reverse engineer DEX files are disassemblers such as baksmali and dex2jar and decompilers such as jadx and jdgui. The purpose of code packing with Appdome APPCode Packer is to make these tools ineffective and even unusable. To do this, Appdome encrypts all DEX files not needed for app initialization, making it impossible for disassemblers to find the original code. At run-time, Appdome’s code will decrypt the encrypted DEX files and allow the app to continue working as usual.

This obfuscation technique provides the following benefits:

  1. Trying to use offline reversing techniques on the application will fail as most classes will not be found in the APK or in the AAB.
  2. Decryption overhead is only incurred during the app’s first run, and even then has minimal impact.
  3. Since the DEX files are encrypted, they are protected by Appdome’s Anti-Tampering.
  4. In addition, any attempt to force this information out of the application using run-time methods will be thwarted by Appdome’s Anti-Debugging and other features in ONEShield.

This feature is complementary to Appdome’s Control-Flow Relocation and may be used together to further the app’s Java code reverse-engineering protection.

If your application was developed using a non-native framework such as React-Native, Cordova or Xamarin, you might want to check out Non-Native Code Obfuscation.

If, on the other hand, your application has more native code in it, we recommend you check out Binary Code Obfuscation.

Additional Notes:

Since the app still requires certain classes for its initial startup, specific classes mentioned by the following tags in the app’s manifest inside the “application” tag will not be encrypted:

  1. android: appComponentFactory
  2. android: name

Follow these 3 easy steps to Encrypt DEX Files (Java Classes)

Start by adding a mobile app to your Appdome account. If you don’t have an Appdome account, click here to create an account.

  1. Under the Build tab, select Security, then expand TOTALData™ Encryption
  2. Switch on DEX File Encryption
    • Optionally, enable Favor Loading Time (see below)
  3. Click “Build My App.”

Dex.file.encryption.on.appdome

Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to protect Android source code using DEX File Encryption. When an Appdome user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.

Congratulations! When your build is complete, you will see the notice below.
code packing for obfuscating android apps

Favor Loading Time

Obfuscation decreases the efficiency of compression algorithms, so obfuscating all the code in the app may increase its loading time significantly. You can enable Favor Loading Time to automatically detect and optimize the obfuscation process of publicly available components to preserve the application loading time.

Please review this file to view all the libraries and files that will remain unobfuscated when this feature is enabled.

Prerequisites for Using Appdome’s DEX File Encryption

In order to use Appdome’s no-code implementation of APPCode Packer on Appdome, you’ll need:

No Coding Dependency

Using Appdome, there are no development or coding prerequisites to build secured Android apps using DEX File Encryption. There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, and logic to the app automatically, with no manual development work at all.

How to Sign & Publish Secured Mobile Apps Built on Appdome  

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include 

 

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome. 

 How to Learn More

Check out the following related KB articles:

Android String Encryption

How to Encrypt Shared Preferences in Android apps

How to add Native Code Obfuscation to any iOS, Android app

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Or request a demo at any time.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Kai Kenan

Have a question?

Ask an expert

DanaMaking your security project a success!

Get Your Copy
2021 Global Mobile
Consumer Security
Survey