Application code not obfuscated

Application code not obfuscated

Risk: hardening

Description

Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step. It works by modifying the code and metadata of the app in a way that makes it difficult for attackers to understand the code and modify it to introduce vulnerabilities or add malicious functionality. Obfuscators typically achieve this by renaming classes, methods, and variables to non-meaningful names, removing debugging information, and adding bogus code to confuse decompilers.

Adversaries can steal code and sensitive information, introduce vulnerabilities that can compromise the app's security, or repurpose and sell the code in a new application or create a malicious fake application based on the initial one. If this code is not obfuscated, it can be easily decompiled using tools like Apktool or JADX.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.

Recommendation

Below are steps you can consider to make your application less prone to reverse engineering :

Obfuscate Java source code with Proguard.

To add Proguard to you application, add the following to the build.gradle file:

Gradle

buildTypes {
        release {
            minifyEnabled true
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
        }
    }

This tells Gradle to use ProGuard for code obfuscation in the release build. You can then create a "proguard-rules.pro" file in the app's "app" directory to configure the obfuscation rules.

Example proguard-rules.pro:

# Keep the names of classes in this package
-keep class com.example.myapplication.** { *; }

# Keep all public and protected methods in these classes
-keepclassmembers class com.example.myapplication.** {
    public protected *;
}

# Keep all native method names
-keepclassmembers class * {
    native <methods>;
}

# Keep all fields with the specified name
-keepclassmembers class * {
    private int myField;
}

# Keep all classes that implement Parcelable
-keep class * implements android.os.Parcelable {
  public static final android.os.Parcelable$Creator *;
}

# Keep all Enum classes
-keepclassmembers enum * {
    public static **[] values();
    public static ** valueOf(java.lang.String);
}

# Keep all annotations
-keepattributes *Annotation*

# Preserve all entry points (like main methods)
-keep public class * {
    public static void main(java.lang.String[]);
}

# Keep all Serializable classes
-keep class * implements java.io.Serializable {
    *;
}

Obfuscate Java source code with Dexguard.

To enable Dexguard in your application, you can add the following to the build.gradle file:

Gradle

buildTypes {
        release {
            minifyEnabled true
            useProguard false
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
            dexguard {
                config 'dexguard-release.cfg'
            }
        }
    }

This tells Gradle to use DexGuard for code obfuscation in the release build. You can create a"dexguard-project.txt" file in the app's "app" directory to configure the DexGuard project, and a"dexguard-release.cfg" file to configure the obfuscation for the release build.

By default, when you enable code obfuscation using DexGuard, it will use its own obfuscation rules in addition to any rules specified in the ProGuard configuration file. However, you can disable the use of ProGuard's rules by setting the useProguard option to false.

• Verification application signing certificate during runtime by checking context.getPackageManager().signature
• Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
• Check running environment at runtime

Check if the app is running on an emulator

You can add the following check to your application to detect if it's running on an emulator.

Java

private static String getSystemProperty(String name) throws Exception {
    Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
    return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
}

public static boolean checkEmulator() {

    try {
        boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
        boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
        boolean sdk = getSystemProperty("ro.product.model").equals("sdk");

        if (qemu || goldfish || sdk) {
            return true;
        }

    } catch (Exception e) {}

    return false;
}

Check debug flag at runtime

Similarly, you can check if the application is in debug mode during runtime

Java

    context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Links

• Lack of Binary Protections (OWASP Mobile Top 10)
• Proguard (Android developer)

Standards

• OWASP_MASVS_RESILIENCE:
  • MSTG_RESILIENCE_9
  • MSTG_RESILIENCE_12
• PCI_STANDARDS:
  • REQ_2_2
• OWASP_MASVS_v2_1:
  • MASVS_RESILIENCE_3