Info Obfuscated methods

Description

Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.

Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.

Recommendation

Design the application to add the following protections and slow reverse engineering of the application:

  • Obfuscate Java source code with tools like Proguard or Dexguard
  • buildTypes {
            release {
                minifyEnabled true
                proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
            }
        }
  • Verification application signing certificate during runtime by checking context.getPackageManager().signature
  • Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
  • Check running environment at runtime
  • private static String getSystemProperty(String name) throws Exception {
        Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
        return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
    }
    
    public static boolean checkEmulator() {
    
        try {
            boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
            boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
            boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
    
            if (qemu || goldfish || sdk) {
                return true;
            }
    
        } catch (Exception e) {
        }
    
        return false;
      }
  • Check debug flag at runtime
  • context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Technical details
PackageObfuscated
android.support.transition False
net.jpountz.util False
com.services True
android.support.design False
androidx.work True
com.library.util False
com.comscore.utils True
com.library.helpers False
com.simpl.approvalsdk True
com.gaana False
com.comscore.applications False
com.custom_card_response True
com.i True
com.g.a True
net.hockeyapp.android True
com.logging True
com.helpshift True
com.comscore.analytics True
com.constants True
android.support.multidex False
net.jpountz.lz4 False
com.d True
com.youtube False
com.timespointssdk True
android.support.customtabs False
com.collapsible_header True
com.player_framework True
android.databinding True
com.managers True
com.payment True
android.support.coreui False
android.support.coreutils False
com.e.a True
com.library.controls False
com.google.flatbuffers False
com.j.a True
com.library.custom_glide False
com.payu.custombrowser True
io.branch.referral True
android.support.annotation False
com.playercache True
bolts True
com.models True
com.comscore.instrumentation False
com.views True
com.cast_music True
com.comscore.metrics True
com.google.firebase True
com.login.nativesso True
com.h True
com.google.gson False
com.comscore.streaming True
com.paytm.pgsdk False
android.support.v4 False
android.support.v13 False
com.payu.magicretry True
androidx.browser.browseractions False
android.support.compat False
com.moengage False
com.moe.pushlibrary False
com.voice True
com.library.managers False
com.utilities True
net.jpountz.a True
com.comscore.measurement True
com.google.ads True
android.support.mediacompat False
com.comscore.android True
io.branch.indexing False
android.support.fragment False
com.widget False
android.arch.lifecycle True
com.exoplayer2 True
com.b True
in.til.core True
kotlin True
android.support.constraint False
com.f True
com.a True