Info Obfuscated methods

Description

Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.

Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.

Recommendation

Design the application to add the following protections and slow reverse engineering of the application:

  • Obfuscate Java source code with tools like Proguard or Dexguard
  • buildTypes {
            release {
                minifyEnabled true
                proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
            }
        }
  • Verification application signing certificate during runtime by checking context.getPackageManager().signature
  • Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
  • Check running environment at runtime
  • private static String getSystemProperty(String name) throws Exception {
        Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
        return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
    }
    
    public static boolean checkEmulator() {
    
        try {
            boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
            boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
            boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
    
            if (qemu || goldfish || sdk) {
                return true;
            }
    
        } catch (Exception e) {
        }
    
        return false;
      }
  • Check debug flag at runtime
  • context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Technical details
PackageObfuscated
zendesk.belvedere False
com.jakewharton.rxrelay2 False
org.joda.time False
com.jakewharton.picasso False
org.objenesis False
com.google.maps False
androidx.core.internal False
zendesk.support False
android.support.transition False
com.zendesk.logger False
org.mockito False
android.support.constraint False
androidx.media False
org.apache.http False
com.zendesk.sdk False
retrofit2 False
android.support.asynclayoutinflater False
junit.framework False
org.reactivestreams False
org.slf4j False
javax.inject False
android.support.compat False
android.support.localbroadcastmanager False
androidx.versionedparcelable False
com.zendesk.util False
com.getkeepsafe.relinker False
android.support.customtabs False
zendesk.core False
com.zendesk.service False
android.support.multidex False
rx False
bolts False
com.zendesk.collection False
com.wootric.androidsdk False
com.caverock.androidsvg False
okio False
android.support.coreutils False
android.support.coreui False
android.support.slidingpanelayout False
org.hamcrest False
android.support.coordinatorlayout False
android.support.swiperefreshlayout False
android.support.interpolator False
androidx.browser.browseractions False
kotlin False
android.arch.core False
com.ethanhua.skeleton False
com.google.firebase True
android.support.print False
com.jakewharton.rxbinding2 False
com.crashlytics.android False
com.sothree.slidinguppanel False
android.support.drawerlayout False
net.bytebuddy False
android.support.customview False
io.supercharge.shimmerlayout False
android.support.annotation False
com.jakewharton.disklrucache False
org.parceler False
io.reactivex False
android.support.cursoradapter False
com.nhaarman.mockito_kotlin False
org.jetbrains.annotations False
android.databinding False
android.support.design False
junit.extensions False
android.support.mediacompat False
com.bumptech.glide False
junit.textui False
android.support.loader False
junit.runner False
com.facebook False
android.support.v4 False
org.junit False
okhttp3 False
com.google.zxing False
org.aaronhe.rxgooglemapsbinding False
jp.wasabeef.richeditor False
dagger False
com.squareup.okhttp False
zendesk.suas False
com.squareup.picasso False
android.arch.lifecycle False
com.google.gson False
android.support.fragment False
android.support.documentfile False
timber.log False
io.realm False
com.zendesk.func False