In recent years, decompilers have reached a maturity level that allows recovering source code from mobile app binaries with ease. Obfuscation has become a well established preventive measure developers use against static reverse engineering attempts. There are several ways to implement obfuscation, but various obfuscation solutions differ in several things: Ease of use (e.g., specialised compilers and post-build tools), Performance (i.e., performance penalty, if any) and the reference threat level.
Since eventually all defenses can be broken, the quality of a good defense is measured by the amount of work, expertise and time needed to break the defense.
This Knowledge Base article provides step-by-step instructions for using Appdome to add code packing to Android mobile apps. This protects any Android mobile app from static reverse engineering attempts.
We hope you find this knowledge base useful and enjoy using Appdome!
About No-Code Android APPCode Packer on Appdome
Appdome is a no-code mobile integration platform as a service (iPaaS). Appdome allows users to add a wide variety of features, SDKs and APIs to Android and iOS applications. Using a simple ‘click to add’ user interface, anyone can easily add Appdome’s APPCode Packer and other code obfuscation methods to any mobile application – in seconds, no-code or coding required.
Using Appdome, there are no development or coding prerequisites. For example, there are no SDK, library, or plug-ins to implement. The Appdome technology adds APPCode Packer and relevant standards, frameworks and more to the app automatically, with no manual development work at all.
Appdome’s APPCode Packer is a security feature that encrypts the mobile app’s compiled Java code and decrypts it at run-time. Appdome’s APPCode Packer makes reverse engineering an arduous task while preserving the functionality and performance of the original app. Appdome’s APPCode Packer is compatible with mobile apps built in any development environment including Native Android apps, hybrid apps, and non-native apps built-in Xamarin, Cordova, and React Native, Ionic and more. This streamlines implementations, cuts development work, and ensures a guaranteed and consistent integration of Appdome’s APPCode Packer to any mobile app.
APPCode Packer in Android Mobile Apps
In Android, compiled Java/Kotlin code resides in
classes.dex files (see structure of Android applications). The common toolbox to reverse engineer DEX files contains Disassemblers such as baksmali and dex2jar and decompilers such as jadx and jdgui. The purpose of Appdome’s APPCode Packer is to make these tools ineffective and even unusable. To do this, Appdome encrypts all DEX files not needed for app initialization, making it impossible for disassemblers to find the original code. At run-time, Appdome’s code will decrypt the encrypted DEX files and allow the app to continue working as usual.
This obfuscation technique provides the following benefits:
- Trying to use offline reversing techniques on the application will fail as most classes will not be found in the APK.
- Decryption overhead is only incurred during the app’s first run, and even then has minimal impact.
- Since the DEX files are encrypted, they are protected by Appdome’s Anti-Tampering.
- In addition, any attempt to force this information out of the application using run-time methods will be met with Appdome’s Anti-Debugging
This feature is complementary to Appdome’s Control-Flow Relocation and may be used together to further the app’s Java code reverse-engineering protection.
If your application was developed using a non-native framework such as React-Native, Cordova or Xamarin, you might want to check out Non-Native Code Obfuscation.
If, on the other hand, your application has more native code in it, we recommend you check out Binary Code Obfuscation.
APPCode Packer caveat
Since the app still requires certain classes for its initial startup, specific classes mentioned by the following tags in the app’s manifest inside the “application” tag will not be encrypted:
- android: appComponentFactory
- android: name
Prerequisites for using Appdome’s APPCode Packer
In order to use Appdome’s no-code implementation of APPCode Packer on Appdome, you’ll need:
- Appdome account – IDEAL or Higher.
- Mobile App (.apk for Android)
- Signing Credentials (e.g., signing certificates and provisioning profile)
How to add APPCode Packer to a Mobile App on Appdome
Follow these step-by-step instructions to add Appdome’s APPCode Packer o Any Mobile App:
Upload a Mobile App to Your Account
Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.
From the “Build” tab, enable APPCode Packer
Select the Build Tab. Note: a blue underline will appear showing the step is active.
Beneath the Build Tab, Select Security. Note: a blue highlight will appear showing the category is active.
- Click to Open TOTALData™ Encryption
- Enable APPCode Packer
- Optionally, enable Favor Loading Time (see below)
- Click “Build My App.”
The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add the requested service to the mobile app in seconds.
Congratulations! When your integration is complete, you will see the notice below. Your app’s dex files are now encrypted.
Favor Loading Time
Obfuscation decreases the efficiency of compression algorithms, so obfuscating all the code in the app may increase its loading time significantly. You can enable Favor Loading Time to automatically detect and optimize the obfuscation process of publicly available components to preserve the application loading time.
After Adding APPCode Packer to Mobile App on Appdome
After you have added APPCode Packer to any Mobile App on Appdome, there are a few additional steps needed to complete your mobile integration project.
Add Context™ to the Appdome-Built App
Appdome is a full-featured mobile integration platform. Within Context™, Appdome users can brand the app, including adding a favicon to denote the new service added to the app.
For more information on the range of options available in Context™, please read this knowledge base article.
Sign the App (Required)
In order to deploy an Appdome-Built app, it must be signed. Signing iOS app and Signing an Android app is easy using Appdome. Alternatively, you can use Private Signing, to download your unsigned app and sign locally using your own signing methods.
Deploy the Appdome-Built App to a Mobile Device
Once you have signed your Appdome-Built app, you can download to deploy it using your distribution method of choice. For more information on deploying your Appdome-Built apps, please read this knowledge base.
That is it – Enjoy Appdome’s APPCode packer in your app!
How Do I Learn More?
APPCode Packer is just one of the many features TOTALData™ Encryption can to encrypt and protect your app data.
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.