How to Obfuscate Mobile Apps & Prevent Reverse Engineering

 

Learn 3 Easy Steps to Obfuscate Mobile Apps & Prevent Reverse Engineering. Obfuscate Native iOS and Android Code and Libraries – No coding, No SDK.

In recent years, decompilers have reached a maturity level that allows recovering source code from mobile apps easily. You should obfuscate mobile apps as part of a first line of defense against reverse engineering attempts by hackers. What sets various obfuscation solutions apart is several things: (1) Ease of use (specialized compilers to post-build tools), (2) Performance (some obfuscation methods might impose a performance penalty), and (3) the reference threat level (expertise and time needed to break the defense).

Learn the 3 Easy Steps to Obfuscate Mobile Apps & Prevent Reverse Engineering. No Code, No SDK.

We hope you find this knowledge base useful and enjoy using Appdome!

Binary Code Obfuscation on iOS

In iOS, the application’s executable (see the structure of iOS applications) manifests as binary code. To make it unparsable by reverse engineering tools, Appdome shuffles the code around. This way, when the reverse engineering tool attempts to determine the target of a reference (for example, the target of a function call), it will appear as though it points to some arbitrary location.

On a large scale, this renders the code completely unintelligible. However, there is a prerequisite: the application must contain enough binary code to make the shuffling effective. Appdome will analyze the uploaded application to determine whether it meets the prerequisite requirements. Rest assured, most real-world applications fit the threshold. If however, your application is too small, we suggest you take advantage of Appdome Flow Relocation as an alternative.

Binary Code Obfuscation on Android

In Android, shared-libraries constitute the native-code part of the application (see the structure of Android applications).

Appdome takes advantage of the loading mechanism of shared libraries in Android and modifies it so encrypted libraries can be loaded. Then, when you integrate Binary Code Obfuscation, the native libraries that come with the application get encrypted using a unique key.

When an attacker attempts to open the protected libraries in a reverse engineering tool (such as IDA-Pro or Hopper), the applications will fail at recognizing the file as binary code.

Favor App’s Size

Obfuscation decreases the efficiency of compression algorithms, so obfuscating all the code in the app may increase its filesize significantly. You can enable Favor App’s Size, to keep publically available element unobfuscated and decrease the size of the build app.

The libraries that will remain unobfuscated, with this switch enabled are:

Open Source Libraries:

Libraries Comment
libstlport_shared.so https://developer.android.com/ndk/guides/cpp-support
libiconv.so, libzbarjni.so https://github.com/dm77/ZBarScanner
libtool-checker.so https://github.com/scottyab/rootbeer
libcrashlytics.so, libcrashlytics-envelope.so https://try.crashlytics.com/sdk-android
libfirebase.so https://github.com/firebase/firebase-android-sdk
libmpdf.so https://github.com/mpdf/mpdf
libj2v8.so https://github.com/eclipsesource/J2V8
libjniPdfium.so, libmodpdfium.so https://pdfium.googlesource.com/pdfium
libopencv_imgproc.so, libopencv_core.so, libopencv_java3.so https://opencv.org

Obfuscate Xamarin Libraries

libmonodroid.so, libmono-btls-shared.so, libmonosgen-2.0.so, libe_sqlite3.so, libmono-native.so, libxamarin-app.so

Obfuscate React Native Apps

libfb.so, libfolly_json.so, libglog.so, libglog_init.so, libgnustl_shared.so, libicu_common.so, libimagepipeline.so, libjsc.so, libprivatedata.so, libreactnativejni.so, libyoga.so. libc++_shared.so

Obfuscate Unity Apps 

libunity.so, libil2cpp.so, libcri_ware_unity.so, libgpg.so

Obfuscate Cordova Apps 

libxwalkcore.so, libxwalkdummy.so, libsqlcipher.so

IMPORTANT: Some applications which come with anti-tampering might clash with Appdome’s binary code obfuscation. Read this article to learn about Appdome’s own Anti-Tampering functionality.

About Binary Code Obfuscation with Appdome

Appdome is a no-code mobile app security platform designed to add security features, like native code obfuscation to Android and iOS apps without coding.  This KB shows mobile developers, DevSec and security professionals how to use Appdome’s simple ‘click to build’ user interface to quickly and easily prevent reverse engineering iOS and Android apps

3 Easy Steps to Obfuscate Mobile Apps & Prevent Reverse Engineering

Please follow these 3 easy steps to add native code obfuscation to Android and iOS apps. 

  1. Upload an Android or iOS App to Appdome’s no code security platform (.apk, .aab, or .ipa)
  2. In the Build Tab, under Security, from within TOTALCode™ Obfuscation, enable Binary Code Obfuscation(shown below)
  3. Click Build My App

Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to protect Android and iOS apps with native code obfuscation. When an Appdome user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.

Congratulations! The build is now complete and the app is protected with native code obfuscationsuccess message - obfuscate mobile apps

No Coding Dependency

Using Appdome, there are no development or coding prerequisites to build secured Android and iOS apps with Binary Code Obfuscation. There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, and logic to the app automatically, with no manual development work at all.

How to Sign & Publish Secured Mobile Apps Built on Appdome  

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include 

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome. 

How To Learn More

Check out related KBs for non-native obfuscation, control flow relocation, and strip debug info, which are all part of Appdome TOTALCode™ Obfuscation. 

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform or  Or request a demo at any time.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Dany Zatuchna

Have a question?

Ask an expert

HilaMaking your security project a success!