Info Obfuscated methods

Description

Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.

Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.

Recommendation

Design the application to add the following protections and slow reverse engineering of the application:

  • Obfuscate Java source code with tools like Proguard or Dexguard
  • buildTypes {
            release {
                minifyEnabled true
                proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
            }
        }
  • Verification application signing certificate during runtime by checking context.getPackageManager().signature
  • Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
  • Check running environment at runtime
  • private static String getSystemProperty(String name) throws Exception {
        Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
        return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
    }
    
    public static boolean checkEmulator() {
    
        try {
            boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
            boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
            boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
    
            if (qemu || goldfish || sdk) {
                return true;
            }
    
        } catch (Exception e) {
        }
    
        return false;
      }
  • Check debug flag at runtime
  • context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Technical details
PackageObfuscated
javax.inject False
com.google.ads True
android.support.coreui False
com.ypyproductions.utils False
android.support.fragment False
android.support.compat False
android.support.multidex False
com.google.firebase True
com.nononsenseapps.filepicker False
com.google.protobuf False
com.kyleduo.switchbutton False
javax.mail False
org.joda.time False
dagger False
android.content.pm False
android.support.coreutils False
okio False
com.suke.widget False
android.support.v4 False
com.scottyab.aescrypt False
android.support.transition False
hugo.weaving False
com.bumptech.glide False
myjava.awt.datatransfer False
android.support.mediacompat False
com.ypyproductions.abtractclass False
com.jaeger.library False
javax.activation False
com.crashlytics.android False
com.example.tutoshowcase False
com.rudraum.rudraumThumb2Thief True
butterknife False
at.grabner.circleprogress False
com.fastaccess.permission False
android.support.annotation False
android.support.design False
com.squareup.picasso False
pub.devrel.easypermissions False
com.ypyproductions.task False
com.amnix.materiallockview False
org.jsoup False
android.arch.lifecycle False
com.ypyproductions.webservice False
android.support.constraint False