No-Code Mobile App Obfuscation in minutes

This article provides detailed information on no-code mobile app obfuscation, including detailed step-by-step instructions on how to implement obfuscation in any iOS or Android app in seconds — no coding required.

About Mobile App Obfuscation

In recent years, decompilers have reached a maturity level that allows recovering source code back from mobile apps with ease. Obfuscation has become a well established preventive measure developers use against static reverse engineering attempts.

What sets various obfuscation solutions apart is several things:

To understand what TOTALCode™ Obfuscation means, we must understand two things:

The goal of obfuscation in a mobile application is to make the app harder to reverse engineer, understand, model, and derive meaning from the app or code — all without impacting functionality of the application.

What is Code?

Code is any form of information that executes business logic.

So for example, the part of a navigation application that computes the faster route between two points is code. In this example, this is a part of the application that’s inherent to its function. You might say that this is what makes your application stand out among all other applications. And as such, you might want to protect that code.

Another example would be a mobile banking application, where the code is in charge of assembling the correct requests to the bank’s servers to request a list of all transactions.

For different platforms, and in different circumstances, what we just defined as code will be contained in different forms in the application. Mobile app obfuscation helps you keep your code secure and private.

Code location in iOS apps

Code location in Android apps:

What is Mobile app Obfuscation?

Obfuscation is the process of taking code, and transforming it in a way that makes it difficult or infeasible for an attacker to understand, without changing or impacting how the app functions.

Common obfuscation techniques range from things as complex as changing the build tools to emit convoluted machine code to modifying names/labels in the code to make them unintelligible to the human eye.

However, not all forms of mobile app obfuscation are sufficient or even applicable to all types of code.

For example, modifying names and eliminating format in Javascript code (a process called minification) is not very effective, as the code basically remains a text file, and multiple tools can easily reverse the build and compile process and turn machine code or intermediate/assembly code back into source code.

Encrypting Javascript/DLL is a more effective way to obfuscate non-native code. Of course, this requires a mechanism that would still allow encrypted files to function.

Obfuscating Mobile Apps using without coding

No-code platforms like Appdome enables developers or non-developers to quickly obfuscate native or non-native mobile apps in seconds without touching source code.

  • Binary Code Obfuscation
    Obfuscating mobile apps modifies the application’s binary code to make it unrecognizable to reverse-engineering tools.
  • Flow Relocation
    Modify the application’s compiled code by hiding the logical flow of the code to make reverse engineering an arduous task (without impacting how the app functions).
  • Non-Native Code Obfuscation
    For applications that were developed using a non-native framework such as React-Native, Cordova, or Xamarin, you can obfuscate the non-native code. It’s worth noting that obfuscating non-native code is simply not achievable through manual code changes. This makes appdome the only solution on the market that can obfuscate non-native mobile apps comprehensively and effectively.
  • Strip Debug Information
    Eliminate all descriptive information from the application’s binaries. This information usually includes identifiers (variable and function names) and source code names/line numbers.
    Debug information is often left inside the app after the build process.
  • Encrypt Strings and Resources
    Every application contains (embedded in its code) various string constants such as URLs, tokens, names of files, and so forth. These are a lucrative target for attackers as it gives them a very firm foot-hold on what a specific piece of code is responsible for, not to mention that some strings are valuable information in the own right (such as authentication tokens).
    Appdome re-locates those strings and additional resources, encrypts them, and makes sure they can only be accessed by the application itself. Naturally, if the application has been tampered with, Appdome will not allow access to those strings, thereby foiling attack attempts.

How Do I Learn More?

If you are interested in obfuscating mobile apps, we suggest checking out ONEShield.

Also, we have a brochure on TOTALCode obfuscation or check out this KB article on no-code mobile app obfuscation.

Originally published at

ALAN BAVOSA is VP of Security Products at Appdome, a no-code mobile app security and development platform.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store