Info Obfuscated methods

Description

Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.

Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.

Recommendation

Design the application to add the following protections and slow reverse engineering of the application:

  • Obfuscate Java source code with tools like Proguard or Dexguard
  • buildTypes {
            release {
                minifyEnabled true
                proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
            }
        }
  • Verification application signing certificate during runtime by checking context.getPackageManager().signature
  • Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
  • Check running environment at runtime
  • private static String getSystemProperty(String name) throws Exception {
        Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
        return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
    }
    
    public static boolean checkEmulator() {
    
        try {
            boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
            boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
            boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
    
            if (qemu || goldfish || sdk) {
                return true;
            }
    
        } catch (Exception e) {
        }
    
        return false;
      }
  • Check debug flag at runtime
  • context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Technical details
PackageObfuscated
org.bouncycastle.crypto False
md5d06a077489831141efe6f537ac3ef2f5 False
md5455f6124b98dfb3fa2b3adb004e109ee False
android.support.transition False
android.support.coreutils False
md532297d508661dd0e548b7fd62ac153f3 False
android.support.compat False
md5b5cbf9a5f989abac95309328170a059b False
md51558244f76c53b6aeda52c8a337f2c37 False
org.apache.http False
com.unisys.dltestdigimobile False
android.support.mediacompat False
opentk False
md54cd65ac53ae710bff80022afc423e0f3 False
com.xamarin.java_interop False
md5ffee669ba463e53144e08cad7284821e False
android.support.coreui False
md5f112b719ffc0b0223f20593de7c69b79 False
android.support.fragment False
android.support.multidex False
md5952c01d8b4c34fff2c31ca4fd13263c8 False
com.mirasense.scanditsdk False
android.support.design False
md5a713a226e3d68551ab5775b719eafff8 False
android.support.v4 False
md57be7e0aa3e38d08066d0a84beb18d525 False
mono False
md58432a647068b097f9637064b8985a5e0 False
org.spongycastle False
com.scandit.barcodepicker False
com.scandit.recognition False
android.app False
android.runtime False
md5bb098716dd46c8e113564e6b42b7cde9 False
md508a116ab629a9168c5f121b9962d8ce6 False