Info Obfuscated methods

Description

Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.

Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.

Recommendation

Design the application to add the following protections and slow reverse engineering of the application:

  • Obfuscate Java source code with tools like Proguard or Dexguard
  • buildTypes {
            release {
                minifyEnabled true
                proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
            }
        }
  • Verification application signing certificate during runtime by checking context.getPackageManager().signature
  • Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
  • Check running environment at runtime
  • private static String getSystemProperty(String name) throws Exception {
        Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
        return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
    }
    
    public static boolean checkEmulator() {
    
        try {
            boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
            boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
            boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
    
            if (qemu || goldfish || sdk) {
                return true;
            }
    
        } catch (Exception e) {
        }
    
        return false;
      }
  • Check debug flag at runtime
  • context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Technical details
PackageObfuscated
android.support.annotation False
javax.mail False
javax.annotation False
com.bumptech.glide False
com.jakewharton.disklrucache False
okhttp3 False
butterknife False
devlight.io.library False
de.hdodenhof.circleimageview False
io.socket.yeast False
android.support.coreutils False
rx False
com.crashlytics.android False
com.victor.loading False
com.google.gson False
com.squareup.picasso False
com.wonderkiln.blurkit False
io.socket.utf8 False
com.google.firebase True
io.socket.client False
com.zendesk.util False
zendesk.core False
zendesk.support False
com.zendesk.logger False
android.support.coreui False
android.databinding False
com.mikhaellopez.circularimageview False
com.xw.repo False
com.zendesk.belvedere False
retrofit2 False
com.philliphsu.numberpadtimepicker False
org.jetbrains.annotations False
android.support.design False
com.hypertrack.hyperlog False
com.poovam.pinedittextfield False
com.zendesk.collection False
com.xiaochencode.percentprogressbar False
pl.droidsonroids.gif False
io.socket.backo False
com.zendesk.service False
com.example.crystalrangeseekbar False
io.socket.thread False
kotlin False
android.support.mediacompat False
com.lnikkila.extendedtouchview False
io.socket.global False
io.socket.parseqs False
android.support.compat False
android.support.multidex False
android.app.smdt False
com.android.volley False
com.zendesk.sdk False
javax.activation False
javax.inject False
com.zendesk.func False
myjava.awt.datatransfer False
com.allenliu.badgeview False
android.support.v4 False
com.google.ads True
io.socket.parser False
okio False
android.support.constraint False
com.jakewharton.picasso False
zendesk.suas False
android.support.transition False
io.socket.hasbinary False
io.socket.emitter False
com.google.protobuf True
dagger False
android.support.fragment False
zendesk.belvedere False
com.jjoe64.graphview False