Info Obfuscated methods

Description

Obfuscation refers to methods to obscure code and make it hard to understand. Compiled Java classes can be decompiled if there is no obfuscation during compilation step.

Adversaries can steal code and repurpose it and sell it in a new application or create a malicious fake application based on the initial one.

Code obfuscation only slows the attacker from reverse engineering but does not make it impossible.

Recommendation

Design the application to add the following protections and slow reverse engineering of the application:

  • Obfuscate Java source code with tools like Proguard or Dexguard
  • buildTypes {
            release {
                minifyEnabled true
                proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
            }
        }
  • Verification application signing certificate during runtime by checking context.getPackageManager().signature
  • Check application installer to ensure it matches the Android Market by calling context.getPackageManager().getInstallerPackageName
  • Check running environment at runtime
  • private static String getSystemProperty(String name) throws Exception {
        Class systemPropertyClazz = Class.forName("android.os.SystemProperties");
        return (String) systemPropertyClazz.getMethod("get", new Class[] { String.class }).invoke(systemPropertyClazz, new Object[] { name });
    }
    
    public static boolean checkEmulator() {
    
        try {
            boolean goldfish = getSystemProperty("ro.hardware").contains("goldfish");
            boolean qemu = getSystemProperty("ro.kernel.qemu").length() > 0;
            boolean sdk = getSystemProperty("ro.product.model").equals("sdk");
    
            if (qemu || goldfish || sdk) {
                return true;
            }
    
        } catch (Exception e) {
        }
    
        return false;
      }
  • Check debug flag at runtime
  • context.getApplicationInfo().applicationInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE;

Technical details
PackageObfuscated
androidx.constraintlayout.widget False
com.telemed.ae True
androidx.concurrent.futures False
androidx.fragment False
com.google.gson False
com.nostra13.universalimageloader False
com.bumptech.glide False
androidx.asynclayoutinflater False
androidx.legacy.v4 False
androidx.legacy.widget False
androidx.customview False
androidx.drawerlayout False
com.vidyo.vidyosample False
androidx.recyclerview False
androidx.documentfile False
androidx.slidingpanelayout False
com.iarcuschin.simpleratingbar False
androidx.loader False
com.google.firebase True
androidx.viewpager False
org.androidannotations.annotations False
twitter4j False
androidx.coordinatorlayout False
androidx.vectordrawable False
androidx.legacy.content False
com.gun0912.tedpermission False
com.squareup.picasso False
androidx.versionedparcelable False
androidx.swiperefreshlayout False
droidninja.filepicker False
androidx.media False
oauth.signpost False
com.google.ads True
androidx.legacy.app False
androidx.collection False
androidx.activity False
me.leolin.shortcutbadger False
org.apache.http False
com.mindorks.paracamera False
org.androidannotations.api False
androidx.localbroadcastmanager False
androidx.savedstate False
androidx.constraintlayout.solver False
androidx.cardview False
androidx.legacy.coreutils False
androidx.print False
com.vidyo.LmiDeviceManager False
androidx.lifecycle False
androidx.multidex False
androidx.transition False
androidx.arch.core False
androidx.core False
androidx.appcompat False
androidx.annotation False
androidx.palette False
androidx.legacy.coreui False
androidx.interpolator False
androidx.cursoradapter False