Info Obfuscated methods

Description

Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.

Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.

Recommendation

Design the application to add the following protections and slow reverse engineering of the application:

  • Obfuscate Java source code with tools like Proguard or Dexguard
  • buildTypes {
            release {
                minifyEnabled true
                proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
            }
        }
  • Verification application signing certificate during runtime by checking context.getPackageManager().signature
  • Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
  • Check running environment at runtime
  • private static String getSystemProperty(String name) throws Exception {
        Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
        return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
    }
    
    public static boolean checkEmulator() {
    
        try {
            boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
            boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
            boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
    
            if (qemu || goldfish || sdk) {
                return true;
            }
    
        } catch (Exception e) {
        }
    
        return false;
      }
  • Check debug flag at runtime
  • context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Technical details
PackageObfuscated
com.ncapdevi.fragnav True
okio False
net.skyscanner.go True
io.card.payment True
com.google.firebase True
androidx.loader True
com.airbnb.lottie True
androidx.transition True
com.google.ads True
androidx.media True
androidx.swiperefreshlayout True
com.BV.LinearGradient True
androidx.coordinatorlayout True
com.mixpanel.android True
androidx.viewpager True
com.dylanvann.fastimage True
com.braintreepayments.browserswitch True
androidx.versionedparcelable True
net.skyscanner.nid True
mortar False
com.booking.a True
com.android.installreferrer True
com.google.zxing True
androidx.cursoradapter True
kotlin False
androidx.legacy.a True
androidx.appcompat True
com.perimeterx.msdk True
androidx.legacy.coreui False
androidx.arch.core True
androidx.print False
androidx.lifecycle True
eu.davidea.flexibleadapter True
androidx.legacy.coreutils False
io.branch.indexing True
dagger True
androidx.interpolator True
bolts True
com.google.protobuf False
com.pnikosis.materialishprogress False
rx False
com.a.a True
androidx.slidingpanelayout False
io.jsonwebtoken False
androidx.core True
com.cardio False
me.majiajie.pagerbottomtabstrip True
retrofit2 False
androidx.leanback True
androidx.palette False
com.mikepenz.itemanimators True
androidx.fragment True
javax.inject False
androidx.constraintlayout.a True
com.bumptech.glide True
com.braintreepayments.api True
io.branch.referral True
net.skyscanner.backpack True
androidx.cardview True
net.skyscanner.utilities True
com.facebook False
eu.davidea.b True
androidx.annotation False
net.cachapa.expandablelayout True
androidx.browser True
androidx.drawerlayout False
android.support.a True
androidx.asynclayoutinflater False
com.google.gson True
androidx.multidex True
org.webkit.android_jsc False
net.skyscanner.schemas False
com.squareup.a True
androidx.constraintlayout.widget True
afu.plume False
com.crashlytics.android False
androidx.collection True
io.supercharge.shimmerlayout False
com.appsflyer True
okhttp3 False
androidx.legacy.v4 False
net.openid.appauth True
a.a.a True
androidx.documentfile False
net.skyscanner.pricealerts True
androidx.localbroadcastmanager True
androidx.legacy.widget False
androidx.recyclerview True
eu.davidea.a True
com.kahuna.sdk False
androidx.customview True
net.skyscanner.android True
androidx.vectordrawable True
com.jakewharton.rxbinding True
com.caverock.androidsvg True
com.sdoward.rxgooglemap True
com.afollestad.materialdialogs True
com.squareup.tape True
android.support.constraint False