In recent years, decompilers have reached a maturity level that allows recovering source code back from mobile app with ease. Obfuscation has become a well established preventive measure developers use against static reverse engineering attempts. What sets various obfuscation solutions apart is several things: Ease of use (e.g., specialised compilers and post-build tools), Performance (i.e., performance penalty, if any) and the reference threat level.
Since eventually all defences can be broken, what indicates how good a defence is the amount of work, expertise and time expected to break the defence.
This Knowledge Base article provides step-by-step instructions for using Appdome to add control-flow relocation in mobile apps. Adding control-flow relocation protects any Android and iOS mobile app from static reverse engineering attempts.
We hope you find this knowledge base useful and enjoy using Appdome!
About No-Code Control-Flow Relocation on Appdome
Appdome is a no-code mobile integration platform as a service (iPaaS). Appdome allows users to add a wide variety of features, SDKs and APIs to Android and iOS applications. Using a simple ‘click to add’ user interface, anyone can easily add code-flow relocation and other code obfuscation methods to any mobile application – in seconds, no-code or coding required.
Using Appdome, there are no development or coding prerequisites. For example, there is no SDK, library, or plug-ins to implement. The Appdome technology adds Flow-Relocation™ and relevant standards, frameworks and more to the app automatically, with no manual development work at all.
Appdome’s Flow-Relocation™ is a security feature that modifies a mobile app’s compiled code by obfuscating the logical control-flow of the app. Appdome’s Flow-Relocation makes reverse engineering an arduous task while preserving the functionality and performance of the original app. Appdome with Flow-Relocation™ is compatible with mobile apps built in any development environment including Native Android and iOS apps, hybrid apps and non-native apps built in Xamarin, Cordova, and React Native, Ionic and more. This streamlines implementations, cuts development work, and ensures a guaranteed and consistent integration of Flow-Relocation™ to any mobile app.
Code Flow Relocation in iOS Mobile Apps
In iOS, the application’s executable (see structure of iOS applications) manifests as binary code. To make it un-parsable by reverse engineering tools, Appdome uses several techniques such as polymorphic unconditional branching in place of the original instructions so that the original instructions no longer appear in the application’s binary. This creates an appearance of spaghetti code which is extremely difficult to reverse engineer.
IMPORTANT: The feature is hardware specific and only applies to ARM64 binaries. This means:
- Applications which do not have ARM64 support can not take advantage of Flow Relocation.
This is in fact a remote use case as since iOS 11 (2017) there is no longer official support for ARMv7, meaning these applications will no longer work on contemporary devices.
- Applications with several architectures will be stripped to contain only ARM64. Keeping the other architectures will defeat the purpose of the obfuscation as the attacker can just try and reverse the non obfuscated architecture’s code.
This feature works very well together with Binary Code Obfuscation to create an iron-clad anti-reversing shield for the application’s binary.
Code Flow Relocation in Android Mobile Apps.
In Android, compiled Java/Kotlin code resides in
classes.dex files (see structure of Android applications). The common toolbox to reverse engineer DEX files contains: Disassemblers such as baksmali and dex2jar and decompilers such as jadx and jdgui. The purpose of control-flow relocation is to make these tools ineffective and even unusable. To do this, Appdome uses several techniques such as applying call obfuscation to the compiled Java code and modifying the function call targets to obscure functions. The original target of the function call is removed from the code and saved in an encrypted database. These obscure functions access the database to recover the original target of the call at run-time.
This obfuscation technique provides the following benefits:
- Trying to use offline reversing techniques on the application will fail as the “function tree” of the application will appear to be broken.
For example, if for example the application had the following functional path:
login->verify-username->access-user-db, it will appear as two disconnected paths:
verify-username->b. You will notice that
access-user-dbis not even referenced.
- The database access is highly optimized and performs without causing any slowdown to the application.
- Since the database is encrypted, it is protected by appdome’s Anti-Tampering.
- In addition, any attempt to force this information out of the application using run-time methods, will be met with appdome’s Anti-Debugging.
If your application was developed using a non-native framework such as React-Native, Cordova or Xamarin, you might want to check out Non-Native Code Obfuscation.
If, on the other hand, your application has more native code in it, we recommend you check out Binary Code Obfuscation.
We are aware of course, that applications are not always perfect and there might be crashes here and there. We took special care when designing code flow relocation to make sure that the original flow is visible in the stack trace of Java exceptions.
This enables developers to quickly trace the source of a bug in the app, even when obfuscated.
Prerequisites for using Appdome flow relocation
In order to use Appdome’s no-code implementation of Flow-Relocation™ on Appdome, you’ll need:
- Appdome account – IDEAL or Higher.
- Mobile App (.ipa for iOS, or .apk for Android)
- Signing Credentials (e.g., signing certificates and provisioning profile)
How to add Control-Flow Relocation to a Mobile App on Appdome
Follow these step-by-step instructions to add Appdome’s Flow-Relocation™ to Any Mobile App:
Upload a Mobile App to Your Account
Please follow these steps to add a mobile apps to your Appdome account.
If you don’t have an Appdome account, click here to create an account.
From the “Fuse” tab, Add flow relocation
Select the Fuse Tab. Note: a blue underline will appear showing the step is active.
Beneath the Fuse Tab, Select Security. Note: a blue highlight will appear showing the category is active.
- Click to Open ONEShield™ by Appdome
- Click to Open TOTALCode™ Obfuscation
- Enable or Toggle “ON” Flow-Relocation™
- Click “Fuse My App.”
The technology behind Fuse My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add the requested service to the mobile app in seconds.
Congratulations! When your integration is complete, you will see the notice below. You now have a mobile app fully integrated with Appdome’s Flow-Relocation.
After Adding flow relocation Mobile App on Appdome
After you have added Flow-Relocation™ to any Mobile App on Appdome, there are a few additional steps needed to complete your mobile integration project.
Add Context™ to the Appdome-Fused App
Appdome is a full-featured mobile integration platform. Within Context™, Appdome users can brand the app, including adding a favicon to denote the new service added to the app.
For more information on the range of options available in Context™, please read this knowledge base article.
Sign the flow relocation enabled Appdome-Fused App (Required)
In order to deploy an Appdome-Fused app, it must be signed. Signing iOS app and Signing an Android app are easy using Appdome. Alternatively, you can use Private Signing, download your unsigned app and sign locally using your own signing methods.
Deploy the Appdome-Fused App to a Mobile Device
Once you have signed your Appdome-Fused app, you can download to deploy it using your distribution method of choice. For more information on deploying your Appdome-Fused apps, please read this knowledge base.
That is it – Enjoy Appdome’s Flow-Relocation in your app!
How Do I Learn More?
FlowRelocation™ is just one of the many features TOTALCode™ can offer in terms of code obfuscation.
You might also want to check out ONEShield™ to find additional security features Appdome can offer your application.
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.