Info Obfuscated methods

Description

Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.

Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.

Recommendation

Design the application to add the following protections and slow reverse engineering of the application:

  • Obfuscate Java source code with tools like Proguard or Dexguard
  • buildTypes {
            release {
                minifyEnabled true
                proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
            }
        }
  • Verification application signing certificate during runtime by checking context.getPackageManager().signature
  • Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
  • Check running environment at runtime
  • private static String getSystemProperty(String name) throws Exception {
        Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
        return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
    }
    
    public static boolean checkEmulator() {
    
        try {
            boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
            boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
            boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
    
            if (qemu || goldfish || sdk) {
                return true;
            }
    
        } catch (Exception e) {
        }
    
        return false;
      }
  • Check debug flag at runtime
  • context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Technical details
PackageObfuscated
com.horcrux.svg False
com.facebook.imageformat False
com.facebook.imageutils False
com.facebook.systrace False
android.support.v4 False
org.webkit.android_jsc False
com.facebook.quicklog False
ca.jaysoo.extradimensions False
com.facebook.imagepipeline False
com.rnfs False
com.facebook.csslayout False
com.facebook.binaryresource False
javax.inject False
com.google.firebase True
com.imagepicker False
com.corbt.keepawake False
okio False
com.facebook.datasource False
okhttp3 False
com.facebook.soloader False
com.nineoldandroids.util False
com.nineoldandroids.view False
com.samsara.driver False
com.facebook.fbcore False
com.facebook.drawee False
me.leolin.shortcutbadger False
com.facebook.jni False
com.facebook.react False
com.learnium.RNDeviceInfo False
javax.annotation False
bolts False
com.nineoldandroids.animation False
com.crashlytics.android False
android.support.annotation False
com.joshblour.reactnativepermissions False
com.devfd.RNGeocoder False
com.dieam.reactnativepushnotification False
com.smixx.fabric False
com.oblador.vectoricons False
net.no_mad.tts False
com.facebook.perftest False
com.psykar.cookiemanager False