Info Obfuscated methods

Description

Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.

Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.

Recommendation

Design the application to add the following protections and slow reverse engineering of the application:

  • Obfuscate Java source code with tools like Proguard or Dexguard
  • buildTypes {
            release {
                minifyEnabled true
                proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
            }
        }
  • Verification application signing certificate during runtime by checking context.getPackageManager().signature
  • Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
  • Check running environment at runtime
  • private static String getSystemProperty(String name) throws Exception {
        Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
        return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
    }
    
    public static boolean checkEmulator() {
    
        try {
            boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
            boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
            boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
    
            if (qemu || goldfish || sdk) {
                return true;
            }
    
        } catch (Exception e) {
        }
    
        return false;
      }
  • Check debug flag at runtime
  • context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Technical details
PackageObfuscated
md59628c2715c1bb8febcc7ae8402df0582 False
com.google.firebase True
md5cb1a4bab49bfe17ad6c0290694c1d310 False
com.widia.pilot False
android.support.coordinatorlayout False
androidx.core.internal False
com.microsoft.appcenter False
md5d630c3d3bfb5f5558520331566132d97 False
md5adcd58131f4046b9abfeb77bd8cc5019 False
md58bd1a5e5e9762fb4364e956b467b4e35 False
md5d06a077489831141efe6f537ac3ef2f5 False
md53f26ec1f22d86e71cc5c7f6923b8530e False
md55d5f1a659e310de15e51a6eae920abe8 False
android.arch.lifecycle False
android.support.annotation False
md5dab4f5c7853fd57f3a9c9a523364ac69 False
android.support.compat False
ffimageloading.views False
androidx.browser.browseractions False
md583c97a0310bc1a6b1fc391803d3b5925 False
android.support.customtabs False
md58432a647068b097f9637064b8985a5e0 False
android.arch.core False
md5fe65febf89776778e11eb956fbef4609 False
androidx.media False
md5a0a6d252fe95a949244d2744b3db206e False
com.xamarin.java_interop False
android.support.multidex False
md5d2d1c27b7e82b503e69475f4fa714d3c False
md508a116ab629a9168c5f121b9962d8ce6 False
android.support.mediacompat False
com.xamarin.formsviewgroup False
com.adobe.mobile False
android.support.transition False
androidx.versionedparcelable False
android.runtime False
md55759adc3208eb42caa6ddcbd3000b15e False
opentk False
md513d0258903c37fed2a3d17a14e8551a2 False
md5fa87df49043cf91ffbf0bf4770f2dd14 False
md51558244f76c53b6aeda52c8a337f2c37 False
md5bb098716dd46c8e113564e6b42b7cde9 False
md513074be467e0034b6ca192c1689af813 False
android.app False
ffimageloading.cross False
md5f92e0daf340890c9667469657ee2ece8 False
md507f625f62cafec6e81efe0279defe3bb False
mono False
android.support.design False
md5a6658cc80412052419c4eb885cdcba93 False