Obfuscated methods
Obfuscated methods
Description
Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.
Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.
Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.
Recommendation
Design the application to add the following protections and slow reverse engineering of the application:
- Obfuscate Java source code with tools like Proguard or Dexguard
buildTypes { release { minifyEnabled true proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' } }
- Verification application signing certificate during runtime by checking
context.getPackageManager().signature
- Check application installer to ensure it matches the Android Market by
calling
context.getPackageManager().getInstallerPackageName
- Check running environment at runtime
private static String getSystemProperty(String name) throws Exception {
Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
}
public static boolean checkEmulator() {
try {
boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
if (qemu || goldfish || sdk) {
return true;
}
} catch (Exception e) {
}
return false;
}
- Check debug flag at runtime
context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;