Info Obfuscated methods

Description

Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.

Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.

Recommendation

Design the application to add the following protections and slow reverse engineering of the application:

  • Obfuscate Java source code with tools like Proguard or Dexguard
  • buildTypes {
            release {
                minifyEnabled true
                proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
            }
        }
  • Verification application signing certificate during runtime by checking context.getPackageManager().signature
  • Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
  • Check running environment at runtime
  • private static String getSystemProperty(String name) throws Exception {
        Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
        return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
    }
    
    public static boolean checkEmulator() {
    
        try {
            boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
            boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
            boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
    
            if (qemu || goldfish || sdk) {
                return true;
            }
    
        } catch (Exception e) {
        }
    
        return false;
      }
  • Check debug flag at runtime
  • context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Technical details
PackageObfuscated
android.support.documentfile False
javax.inject False
android.support.interpolator False
com.google.gson False
android.support.customview False
com.BV.LinearGradient False
android.support.compat False
com.google.c True
net.jcip.annotations False
okio False
com.azendoo.reactnativesnackbar False
net.minidev.json False
me.listenzz.modal False
com.google.zxing False
io.opencensus.tags False
android.support.asynclayoutinflater False
android.support.design False
androidx.versionedparcelable False
android.support.transition False
net.minidev.asm False
bolts False
com.cocosw.bottomsheet False
com.google.firebase True
android.support.drawerlayout False
android.support.coreui False
android.support.coordinatorlayout False
io.opencensus.trace False
android.support.multidex False
androidx.core.internal False
com.google.d True
com.iamport False
android.support.swiperefreshlayout False
android.support.localbroadcastmanager False
com.nimbusds.jwt False
android.support.customtabs False
android.support.annotation False
android.arch.core False
android.support.slidingpanelayout False
org.webkit.android_jsc False
javax.annotation False
android.support.loader False
com.oblador.vectoricons False
android.support.print False
com.crashlytics.android False
android.support.coreutils False
io.grpc False
okhttp3 False
io.opencensus.stats False
com.squareup.okhttp False
android.support.fragment False
com.imagepicker False
com.google.protobuf False
android.support.cursoradapter False
com.nimbusds.jose False
io.opencensus.common False
io.opencensus.internal False
com.clipsub.rnbottomsheet False
android.arch.lifecycle False
android.support.mediacompat False
org.objectweb.asm False
com.facebook False
io.invertase.firebase False
co.apptailor.googlesignin False
android.support.v4 False