Info Obfuscated methods

Description

Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.

Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.

Recommendation

Design the application to add the following protections and slow reverse engineering of the application:

  • Obfuscate Java source code with tools like Proguard or Dexguard
  • buildTypes {
            release {
                minifyEnabled true
                proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
            }
        }
  • Verification application signing certificate during runtime by checking context.getPackageManager().signature
  • Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
  • Check running environment at runtime
  • private static String getSystemProperty(String name) throws Exception {
        Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
        return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
    }
    
    public static boolean checkEmulator() {
    
        try {
            boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
            boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
            boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
    
            if (qemu || goldfish || sdk) {
                return true;
            }
    
        } catch (Exception e) {
        }
    
        return false;
      }
  • Check debug flag at runtime
  • context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Technical details
PackageObfuscated
org.slf4j False
com.tosan.mobilebank False
net.monius False
android.support.mediacompat False
org.honorato.multistatetogglebutton False
com.google.firebase True
eu.davidea.viewholders False
com.afollestad.materialdialogs False
org.apache.http False
android.support.design False
brut.common False
android.support.multidex False
klogi.com False
android.support.compat False
brut.util False
android.net.compatibility False
android.support.v4 False
okhttp3 False
com.tosan.fingerprint False
eu.davidea.flexibleadapter False
com.flipboard.bottomsheet False
android.support.transition False
android.net.http False
com.mindprod.ledatastream False
brut.androlib False
com.tosan.map False
com.google.zxing False
android.support.fragment False
retrofit2 False
org.spongycastle False
flipboard.bottomsheet False
okio False
com.kishware.date False
hugo.weaving False
android.support.coreutils False
eu.davidea.fastscroller False
android.support.annotation False
com.google.gson False
android.support.coreui False
com.scenus False
com.tosan.contacts False