No-Code Control Flow Relocation in Mobile Apps
How to add Control Flow Relocation to mobile apps in minutes. On Appdome, you can obfuscate mobile apps without coding to prevent reverse engineering.
This Knowledge Base article provides step-by-step instructions for using Appdome to add control flow relocation in mobile apps. Control flow relocation is one of multiple methods you can use to obfuscate mobile apps. You should obfuscate a mobile app as a first line of defense against reverse engineering – which hackers routinely do to: (1) learn how your app works (2) understand the app logic (3) find your apps weak spots. This article will take you 3 minutes to read, and 2 minutes to fix your app. And it applies to all Android and ioS apps no matter which framework you built the app in.
Background: why obfuscate mobile apps in the first place?
In recent years, decompilers have reached a maturity level that allows recovering source code back from mobile apps with ease. Obfuscation has become a well established preventive measure developers use against static reverse engineering attempts. What sets various obfuscation solutions apart is several things: Ease of use (e.g., specialized compilers and post-build tools), Performance (i.e., performance penalty, if any) and the reference threat level.
Since eventually all defenses can be broken, which indicates how good a defense is the amount of work, expertise and time expected to break the defense.
We hope you find this knowledge base useful and enjoy using Appdome!
Appdome is a no-code mobile integration platform as a service (iPaaS). Appdome allows users to add a wide variety of features, SDKs, and APIs to Android and iOS applications. Using a simple ‘click to add’ user interface, anyone can easily add code-flow relocation and other code obfuscation methods to any mobile application – in seconds, no-code or coding required.
Using Appdome, there are no development or coding prerequisites. For example, there is no SDK, library, or plug-ins to implement. The Appdome technology adds Flow-Relocation™ and relevant standards, frameworks and more to the app automatically, with no manual development work at all.
Appdome’s Flow-Relocation™ is a security feature that modifies a mobile app’s compiled code by obfuscating the logical control-flow of the app. Appdome’s Flow-Relocation makes reverse engineering an arduous task while preserving the functionality and performance of the original app. Appdome with Flow-Relocation™ is compatible with mobile apps built in any development environment including Native Android and iOS apps, hybrid apps and non-native apps built-in Xamarin, Cordova, and React Native, Ionic and more. This streamlines implementations, cuts development work, and ensures a guaranteed and consistent integration of Flow-Relocation™ to any mobile app.
Control Flow Relocation in iOS Mobile Apps
In iOS, the application’s executable (see the structure of iOS applications) manifests as binary code. To make it un-parsable by reverse engineering tools, Appdome uses several techniques such as polymorphic unconditional branching in place of the original instructions so that the original instructions no longer appear in the application’s binary. This creates an appearance of spaghetti code which is extremely difficult to reverse engineer.
IMPORTANT: The feature is hardware-specific and only applies to ARM64 binaries. This means:
- Applications that do not have ARM64 support can not take advantage of Flow Relocation.
This is in fact a remote use case as since iOS 11 (2017) there is no longer official support for ARMv7, meaning these applications will no longer work on contemporary devices.
- Applications with several architectures will be stripped to contain only ARM64. Keeping the other architectures will defeat the purpose of the obfuscation as the attacker can just try and reverse the non-obfuscated architecture’s code.
This feature works very well together with Binary Code Obfuscation to create an iron-clad anti-reversing shield for the application’s binary.
Control Flow Relocation in Android Mobile Apps.
In Android, compiled Java/Kotlin code resides in
classes.dex files (see the structure of Android applications). The common toolbox to reverse engineer DEX files contains: Disassemblers such as baksmali and dex2jar and decompilers such as jadx and jdgui. The purpose of control-flow relocation is to make these tools ineffective and even unusable. To do this, Appdome uses several techniques such as applying call obfuscation to the compiled Java code and modifying the function call targets to obscure functions. The original target of the function call is removed from the code and saved in an encrypted database. These obscure functions access the database to recover the original target of the call at run-time.
This obfuscation technique provides the following benefits:
- Trying to use offline reversing techniques on the application will fail as the “function tree” of the application will appear to be broken.
For example, if for example, the application had the following functional path:
login->verify-username->access-user-db, it will appear as two disconnected paths:
verify-username->b. You will notice that
access-user-dbis not even referenced.
- The database access is highly optimized and performs without causing any slowdown to the application.
- Since the database is encrypted, it is protected by Appdome’s Anti-Tampering.
- In addition, any attempt to force this information out of the application using run-time methods will be met with Appdome’s Anti-Debugging.
If your application was developed using a non-native framework such as React-Native, Cordova or Xamarin, you might want to check out Non-Native Code Obfuscation.
If, on the other hand, your application has more native code in it, we recommend you check out Binary Code Obfuscation.
We are aware of course, that applications are not always perfect and there might be crashes here and there. We took special care when designing code flow relocation to make sure that the original flow is visible in the stack trace of Java exceptions.
This enables developers to quickly trace the source of a bug in the app, even when obfuscated.
Prerequisites for Using Appdome Flow Relocation
In order to use Appdome’s no-code implementation of Flow Relocation on Appdome, you’ll need:
- Appdome account – IDEAL or Higher.
- Mobile App (.ipa for iOS, or .apk or .aab for Android)
- Signing Credentials (e.g., signing certificates and provisioning profile)
How to add Flow Relocation to a Mobile App on Appdome
Follow these step-by-step instructions to add Appdome’s Flow Relocation to Any Mobile App:
Upload a Mobile App to Your Account
Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.
From the Build tab, Add Flow Relocation
Select the Build Tab. Note: a blue underline will appear showing the step is active.
Beneath the Build Tab, Select Security. Note: a blue highlight will appear showing the category is active.
- Click to Open TOTALCode™ Obfuscation
- Enable or Toggle “ON” Flow Relocation
- Click Build My App
The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add the requested service to the mobile app in seconds.
Congratulations! When your integration is complete, you will see the notice below. You now have a mobile app fully integrated with Appdome’s Flow Relocation.
After Adding Control Flow Relocation to Mobile Apps on Appdome
After you have added Flow Relocation to any Mobile App on Appdome, there are a few additional steps needed to complete your mobile integration project.
Add Context™ to the Appdome Built App
Appdome is a full-featured mobile integration platform. Within Context™, Appdome users can brand the app, including adding a favicon to denote the new service added to the app.
For more information on the range of options available in Context™, please read this knowledge base article.
Sign the Flow Relocation Enabled Appdome Built App (Required)
In order to deploy an Appdome-Built app, it must be signed. Signing the iOS app and Signing an Android app is easy using Appdome. Alternatively, you can use Private Signing, download your unsigned app and sign locally using your own signing methods.
Deploy the Appdome Built App to a Mobile Device
Once you have signed your Appdome-Built app, you can download it to deploy it using your distribution method of choice. For more information on deploying your Appdome-Built apps, please read this knowledge base.
That is it – Enjoy Appdome’s Flow Relocation in your app!
How Do I Learn More?
FlowRelocation™ is just one of the many features TOTALCode™ can offer in terms of code obfuscation.
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.