Info Obfuscated methods

Description

Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.

Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.

Recommendation

Design the application to add the following protections and slow reverse engineering of the application:

  • Obfuscate Java source code with tools like Proguard or Dexguard
  • buildTypes {
            release {
                minifyEnabled true
                proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
            }
        }
  • Verification application signing certificate during runtime by checking context.getPackageManager().signature
  • Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
  • Check running environment at runtime
  • private static String getSystemProperty(String name) throws Exception {
        Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
        return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
    }
    
    public static boolean checkEmulator() {
    
        try {
            boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
            boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
            boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
    
            if (qemu || goldfish || sdk) {
                return true;
            }
    
        } catch (Exception e) {
        }
    
        return false;
      }
  • Check debug flag at runtime
  • context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Technical details
PackageObfuscated
de.hdodenhof.circleimageview True
com.fmsirvent.ParallaxEverywhere True
ru.yandex True
com.squareup.moshi True
com.yandex.auth True
com.yandex.b True
org.slf4j True
com.trello.rxlifecycle True
com.getbase.floatingactionbutton True
android.support.percent True
android.support.d True
a.a True
com.google.gson True
com.yandex.uikit True
android.support.a True
it.sephiroth.rxbroadcast True
okhttp3 False
butterknife False
android.support.multidex True
com.d.a True
com.f.a True
com.c.a True
com.yandex.metrica True
proguard.annotation False
android.support.c True
com.yandex.datasync True
com.localytics.android False
com.bumptech.glide True
org.parceler True
rx True
okio True
com.google.firebase False
org.onepf.openpush False
com.android.volley True
javax.inject False
dagger True
com.yandex.promolib True
retrofit2 False
com.e.a True
org.greenrobot.eventbus True
com.squareup.okhttp True
icepick False