Secure Mobile Application
Development
Part 6: Obfuscation
Jahmel Harris, Technical Director
Binary obfuscation is one technique often used to keep any client side implementation secret and is particularly useful for applications dealing with DRM or mobile payments. Binary obfuscation is the practice of transforming a binary into a version that has the same functionality as the original but with steps to make the binary more complex and therefore more difficult to reverse engineer. On some platforms (such as Android) when obfuscation is not applied, it is often possible to recover a highly accurate version of the source code.
The following are techniques commonly used in obfuscation:
- String Encryption: String constants are replaced with encrypted versions and run through a decryption function before use.
- Symbol Renaming: Symbols (such as method and variable names) are renamed to remove meaning and to make it more difficult to follow method calls.
- Code Flow Obfuscation: Code structures are removed, flattened or merged.
- Dummy Code Insertion: Code is inserted that has no effect on the program, but is executed.
- Instruction Substitution: Common instructions are substituted for instructions that have the same effect,but are less obvious. Simple instructions can be expanded to many instructions.
There are many more techniques which can make it more difficult to recover source code or perform static analysis on a binary.
Several tools exist which provide this functionality including:
- Morpher
- Metaforic
- Arxan
- LLVM Obfuscator