Obfuscating Mobile Apps

Appdome is a no-code mobile integration platform as a service (iPaaS), supporting a wide variety of implementations for Android and iOS apps.

This Knowledge Base article summaries how obfuscating mobile apps on Appdome is super easy with TOTALCode™ Obfuscation.

About Obfuscation

In recent years, decompilers have reached a maturity level that allows recovering source code back from mobile app with ease. Obfuscation has become a well established preventive measure developers use against static reverse engineering attempts.

What sets various obfuscation solutions apart is several things:

  1. Ease of use
    This can range from using specialized compilers to post-build tools.
  2. Performance
    Some obfuscation methods might incur a performance penalty while other do not impact performance at all.
  3. Reference threat level
    Since eventually all defenses can be broken, what indicates how good a defense is the amount of work, expertise and time expected to break the defense.

To understand what TOTALCode™ Obfuscation means, we must understand two things:

  1. What does code mean in the context of an application?
  2. What is obfuscation?

Both answers should be such, that the result of making the application harder to reverse-engineer/attack is the most effective.

What is Code?

Code is any form of information that executes business logic.

So for example, the part of a navigation application that computes the faster route between two points is code. In this example, this is a part of the application that’s inherent to its function. You might say that this is what makes your application stand out between all other navigation applications. And as such, you might want to protect that code.

Another example would be a banking application, where the code is in charge for assembling the correct requests to the bank’s servers in order to request a list of all transactions.

For different platforms, and in different circumstances, what we just defined as code will be contained in different forms in the application.

Code location in iOS apps
  1. Part of the application executable if it is a native application (C/C++/Objective-C/Swift)
  2. Javascript code for Cordova or React-Native applications (Javascript/CSS/HTML)
  3. DLL files for Xamarin applications (C#)
Code location in Android apps:
  1. DEX files for compiled Java code (Java/Kotlin)
  2. Native code (C/C++)
  3. Javascript code
  4. DLL files (C#)

What is Obfuscation?

Obfuscation is the process of taking code, and transforming it in such a way that it is harder for an attacker to understand, but still functions correctly.

Common techniques range from things as complex as changing the build tools to emit convoluted machine code to modifying names/labels in the code to make them lose their meaning for human eyes.

However, not all forms of obfuscation are adequate to all types of code.

For example, modifying names and eliminating format in Javascript code (a process called minification) is not extremely effective as the code basically remains a text file and there exist tools today that can easily reverse the process.

Encrypting Javascript/DLL will be more effective. Of course, this requires a mechanism that would still allow encrypted files to function.

Alternatively, compile-time obfuscation is meaningless for an executable that already exists.

Applying Appdome’s binary code obfuscation will be more effective.

Appdome’s TOTALCode™ Obfuscation is intelligent and capable enough to match the correct form of obfuscation to the type of code that needs obfuscation.

Obfuscating Mobile Apps using TOTALCode Obfuscation

Follow these step-by-step instructions for obfuscating mobile apps by adding TOTALCode Obfuscation to Any Mobile App:

Upload a Mobile App to Your Account

Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.

From the Build tab, choose the Security tab

  • Binary Code Obfuscation
    Obfuscating mobile apps, modifies the application’s binary code to make it unrecognizable by reverse-engineering tools.
  • Flow Relocation
    Modify the application’s compiled code by hiding the logical flow of the code to make reverse engineering an arduous task while keeping the same functionality of the original app.
  • Non-Native Code Obfuscation
    For applications that were developed using a non-native framework such as React-Native, Cordova or Xamarin, obfuscate the non-native code.
  • Strip Debug Information
    Eliminate all descriptive information from the application’s binaries. This information usually includes identifiers (variable and function names) and source code names/line numbers.
    Such information generally gets leftover from the build process of the application.
  • Encrypt Strings and Resources
    Every application contains (embedded in its code) various string constants such as URLs, tokens, names of files and so forth. These are a lucrative target for attackers as it gives them a very firm foot-hold on what a specific piece of code is responsible for, not to mention that some strings are valuable information in the own right (such as authentication tokens).
    Appdome located those strings and additional resources, encrypts them, and makes sure they can only be accessed by the application itself. Naturally, if the application has been tampered with, Appdome will not allow access to those strings, thereby foiling attack attempts.

After Obfuscating Mobile Apps on Appdome

After you have added TOTALCode to any Mobile App on Appdome, there are a few additional steps needed to complete your mobile integration project.

Add Context™ to the Appdome-Built App

Appdome is a full-featured mobile integration platform. Within Context™, Appdome users can brand the app, including adding a favicon to denote the new service added to the app.
For more information on the range of options available in Context™, please read this knowledge base article.

Sign the TOTALCode protected Appdome-Built App (Required)

In order to deploy an Appdome-Built app, it must be signed. Signing iOS app and Signing an Android app are easy using Appdome. Alternatively, you can use Private Signing, download your unsigned app and sign locally using your own signing methods.

Deploy the Appdome-Built App to a Mobile Device

Once you have signed your Appdome-Built app, you can download to deploy it using your distribution method of choice. For more information on deploying your Appdome-Built apps, please read this knowledge base.

That is it. You’ve seen how easy it is to start obfuscating mobile apps.

How Do I Learn More?

If you are interested in obfuscating mobile apps, we suggest checking out ONEShield.

Also, we have a brochure on TOTALCode obfuscation.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Dany Zatuchna

Have a question?

Ask an expert