Info Obfuscated methods


Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.

Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.


Design the application to add the following protections and slow reverse engineering of the application:

  • Obfuscate Java source code with tools like Proguard or Dexguard
  • buildTypes {
            release {
                minifyEnabled true
                proguardFiles getDefaultProguardFile('proguard-android.txt'),
  • Verification application signing certificate during runtime by checking context.getPackageManager().signature
  • Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
  • Check running environment at runtime
  • private static String getSystemProperty(String name) throws Exception {
        Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
        return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
    public static boolean checkEmulator() {
        try {
            boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
            boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
            boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
            if (qemu || goldfish || sdk) {
                return true;
        } catch (Exception e) {
        return false;
  • Check debug flag at runtime
  • context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Technical details
PackageObfuscated False
com.jakewharton.picasso False
org.mockito False
com.jakewharton.rxbinding2 False
android.arch.core False
org.jetbrains.annotations False True
com.facebook False
bolts False False
junit.framework False
org.junit False False False
org.apache.http False
timber.log False
com.zendesk.sdk False False
androidx.versionedparcelable False False
org.aaronhe.rxgooglemapsbinding False
com.zendesk.service False
com.bumptech.glide False
com.zendesk.util False
com.wootric.androidsdk False
com.nhaarman.mockito_kotlin False False
com.zendesk.collection False
com.ethanhua.skeleton False
zendesk.suas False False False False
kotlin False
junit.extensions False False
com.jakewharton.disklrucache False False False
rx False
io.reactivex False False
com.squareup.okhttp False False False
com.zendesk.logger False
zendesk.core False False False
org.slf4j False
retrofit2 False
dagger False
junit.runner False False
androidx.browser.browseractions False
com.getkeepsafe.relinker False False
io.realm False
javax.inject False
org.objenesis False False
org.hamcrest False
org.joda.time False False
com.caverock.androidsvg False
android.arch.lifecycle False
com.squareup.picasso False False
org.parceler False
com.sothree.slidinguppanel False
junit.textui False False False
zendesk.belvedere False
okio False
okhttp3 False False
androidx.core.internal False False
net.bytebuddy False False
jp.wasabeef.richeditor False
org.reactivestreams False False
com.jakewharton.rxrelay2 False
com.zendesk.func False
io.supercharge.shimmerlayout False False
android.databinding False