In recent years, decompilers have reached a maturity level that allows recovering source code from mobile app with ease. Obfuscation has become a well established preventive measure developers use against static reverse engineering attempts. What sets various obfuscation solutions apart is several things: (1) Ease of use (specialized compilers to post-build tools), (2) Performance (some obfuscation methods might impose a performance penalty), and (3) the reference threat level (expertise and time needed to break the defense).
This Knowledge Base article provides step-by-step instructions for using Appdome to implement mobile app binary-code obfuscation to any Android and iOS mobile app.
We hope you find this knowledge base useful and enjoy using Appdome!
About Mobile App Binary Code Obfuscation on Appdome
Appdome is a no code mobile integration platform as a service (IPaaS) that enables developers and non-developers to add a wide variety of features, SDKs, and APIs to Android and iOS apps instantly. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily implement mobile app binary-code obfuscation to any mobile app – instantly, no code or coding required.
There are no development or coding prerequisites to use Appdome. For example, there is no SDK, no libraries, or plug-ins to implement. Likewise, there is no requirement to mark, symbolicate or manually obfuscate code inside Android or iOS apps. Appdome’s technology automatically obfuscates the mobile app binary using multiple obfuscation methods, giving you the same outcome as if you had done this work manually. Appdome’s mobile app binary code obfuscation modifies the mobile application binary code to make it unrecognizable by reverse-engineering tools such as IDA-Pro and Hopper. Using Appdome, there is no development work required to implement code obfuscation.
Prerequisites for using Appdome Binary Code Obfuscation
In order to use Appdome’s no code implementation of Binary Code Obfuscation, such as Flow-Relocation™, you’ll need:
- Appdome account – IDEAL or Higher
- Mobile App (.ipa for iOS, or .apk for Android)
- Signing Credentials (e.g., signing certificates and provisioning profile)
How to Add Mobile App Binary Code Obfuscation to your app
Follow these step-by-step instructions to add Mobile App Binary Code Obfuscation to Any Mobile App:
Upload a Mobile App to Your Account
Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.
From the Security Tab, select Binary Code Obfuscation
Click the Build Tab. Note: A blue highlight and underline will appear showing the step is active.
Click the Security Category. Note: A blue highlight will appear showing the category is active.
- From within TOTALCode™ Obfuscation, enable Binary Code Obfuscation.
- Optionally, enable Favor App’s Size (Android only, see below)
- Click Build My App
The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add the requested service to the mobile app in seconds.
Congratulations! When your integration is complete, you will see the notice below. You now have a mobile app fully integrated with Binary Code Obfuscation.
Binary Code Obfuscation on iOS
In iOS, the application’s executable (see structure of iOS applications) manifests as binary code. To make it unparsable by reverse engineering tools, Appdome shuffles the code around. This way, when the reverse engineering tool attempts to determine the target of a reference (for example, the target of a function call), it will appear as though it points to some arbitrary location.
On a large scale, this renders the code completely unintelligible. However, there is a prerequisite: the application must contain enough binary code to make the shuffling effective. Appdome will analyze the uploaded application to determine whether it meets the prerequisite requirements. Rest assured, most real-world applications fit the threshold. If however, your application is too small, we suggest you take advantage of Appdome Flow Relocation as an alternative.
Binary Code Obfuscation on Android
In Android, shared-libraries constitute the native-code part of the application (see structure of Android applications).
Appdome takes advantage of the loading mechanism of shared libraries in Android and modifies it so encrypted libraries can be loaded. Then, when you integrate Binary Code Obfuscation, the native libraries that come with the application get encrypted using a unique key.
When an attacker attempts to open the protected libraries in a reverse engineering tool (such as IDA-Pro or Hopper), the applications will fail at recognizing the file as binary code.
Favor App’s Size
Obfuscation decreases the efficiency of compression algorithms, so obfuscating all the code in the app may increase its filesize significantly. You can enable Favor App’s Size, to keep publically available element unobfuscated and decrease the size of the build app.
The libraries that will remain unobfuscated, with this switch enabled are:
Open Source Libraries:
|libopencv_imgproc.so, libopencv_core.so, libopencv_java3.so||https://opencv.org|
libmonodroid.so, libmono-btls-shared.so, libmonosgen-2.0.so, libe_sqlite3.so
libfb.so, libfolly_json.so, libglog.so, libglog_init.so, libgnustl_shared.so, libicu_common.so, libimagepipeline.so, libjsc.so, libprivatedata.so, libreactnativejni.so, libyoga.so. libc++_shared.so
libxwalkcore.so, libxwalkdummy.so, libsqlcipher.so
IMPORTANT: Some applications which come with anti-tampering might clash with Appdome’s binary code obfuscation. Read this article to learn about Appdome’s own Anti-Tampering functionality.
After Adding Binary Code Obfuscation to a Mobile App on Appdome
After you have added Binary Code Obfuscation to any Mobile App on Appdome, there are a few additional steps needed to complete your mobile integration project.
Add Context™ to the Appdome-Built App
Appdome is a full-featured mobile integration platform. Within Context™, Appdome customers can brand the app, including adding a favicon to denote the new service added to the app.
For more information on the range of options available in Context™, please read this knowledge base article.
Sign the Binary Code Obfuscation enabled Appdome-Built App (Required)
In order to deploy an Appdome-Built app, it must be signed. Signing iOS apps and Signing Android apps is easy using Appdome. Alternatively, you can use Private Signing, download your unsigned app and sign locally using your own signing methods.
Deploy the Appdome-Built App to a Mobile Device
Once you have signed your Appdome-Built app, you can download to deploy it using your distribution method of choice. For more information on deploying your Appdome-Built apps, please read this knowledge base.
That is it – Enjoy Appdome’s Binary Code Obfuscation in your app!
How Do I Learn More?
Binary Code Obfuscation is just one of the many features TOTALCode™ can offer in terms of code obfuscation.
You might also want to check out ONEShield™ to find additional security features Appdome can offer your application.
If you have any questions, please send them our way at email@example.com or via the chat window on the Appdome platform.