Code Obfuscation slide deck from 9/1/2011 Mobile St. Cloud meeting.
Citation preview
1. Code ObfuscationAndroid and Windows Phone 7
Mobile St. Cloud
2. What is it?
Code obfuscation is the process of making code difficult to
understand. It helps in discouraging an unauthorized person
fromreverse engineering an application to get access to its code
without the permission of the author.
3. What it is not?
It is not a way to prevent reverse engineering of code
4. Why should you consider it?
It is very easy to view code that is not obfuscated
Nothing stands in between attacker and code
6. Android app reverse engineering
To view code in an Android app
.apk-> .dex-> .jar -> code
.apk: App package (xml, images everything)
.dex: dalvik executable (code)
7. Android app reverse engineering contd
Using Dex2jar + jd-gui
Unzip the .apk file to get .dex
Use Dex2jar to get .jar from .dexfile
Unzip and use in command line
dex2jar.bat
Use jd-guito view code from .jar file
Unzip and run exe
8. Android app reverse engineering contd
9. Dex2Jar +jd-gui Example
10. Android Code Obfuscation
ProGuard
The standard tool recommended by Android
Optional but highly recommended
Features
Shrinks
Optimizes
Obfuscates
You get
Smaller size .apk file
App difficult to reverse engineer
11. Android Code Obfuscation contd
Integrated into Android build system
Runs only when the app is built in release mode
12. ProGuard usage
Enable
Make an entry for proguard.config file path in
default.properties
relative/absolute
Can move proguard.config and use relative path
In project root directoryby default
13. ProGuard usage contd
Building
Build in release mode
Turn off debugging. Set android:debuggable=false in
AndroidManifest.xml in application tag
Export apkfile (Eclipse)
File -> Export -> Export Android Application
Select the project to be exported
Select a keystore
All fields required
Enter key details
First five fields required
14. ProGuard usage contd
15. ProGuardusage contd
16. ProGuard obfuscation example
17. Inspect ProGuard obfuscation
Verify promised features of ProGuard
Size
Optimization
Obfuscation
18. ProGuard settings
There are some custom settings available
If a class is only referenced in the Manifest file, ProGuard will
not see it
keep public class
19. WP7 reverse engineering
To view code in a WP7 app
xap -> .dll -> code
.xap: App package (images everything)
.dll: windows dll
20. WP7 reverse engineering contd
Using JustDecompile (telerik) Free
Shows each property and method separately
Class only shows method signatures
Just fire up and open dll
21. WP7 reverse engineering contd
22. JustDecompile example
23. WP7 reverse engineering contd
Using dotPeek (JetBrains) Free
Was still in beta till recently
Just unzip the tool, like Eclipse
Opens up entire class, not separate entries for methods and
properties
24. WP7 reverse engineering contd
25. dotPeek example
26. WP7 reverse engineering contd
Other tools
.Net Reflector (redgate) Paid
Used to be free but not anymore
27. WP7 Code Obfuscation
Dotfuscator (Preemptive Solutions)
The standard tool recommended by Microsoft
Obfuscation features
Renaming
Control flow
String encryption
Not just an obfuscation tool, does instrumentation too
Lets you view how your app is being used
28. Dotfuscator usage
Download the installer
Requires registration
Will ask you to enter unique company name
Suggests use your name if you have no company
URL
http://www.preemptive.com/windowsphone7.html
29. Dotfuscator usage contd
Fire up Dotfuscator exe
File -> New Project
Open .xap file to obfuscate
Add new input file (folder icon)
Select the .xap to obfuscate
Package artifacts will not be obfuscated
30. Dotfuscator obfuscation example
31. Thank you
Me
Osman Syed Meer
Linked in
Twitter (osmanmeer)