No-Code Mobile App Obfuscation in minutes

This article provides detailed information on no-code mobile app obfuscation, including detailed step-by-step instructions on how to implement obfuscation in any iOS or Android app in seconds — no coding required.

About Mobile App Obfuscation

In recent years, decompilers have reached a maturity level that allows recovering source code back from mobile apps with ease. Obfuscation has become a well established preventive measure developers use against static reverse engineering attempts.

  1. Performance
    Some obfuscation methods incur a performance penalty, while others do not impact performance at all.
  2. Reference threat level
    Since eventually all defenses can be broken, one of the key things that differentiates obfuscation solutions is the amount of work, expertise, and time expected to break the defense.
  1. What is obfuscation?

What is Code?

Code is any form of information that executes business logic.

  1. For hybrid apps such as Cordova or React Native apps, ‘code’ is in the form of Javascript, CSS, or HTML5 and usually is stored inside the app
  2. In Xamarin apps, which are written in C#, code is located in DLL files
  1. Native code (C/C++)
  2. Javascript code
  3. DLL files for Xamarin Android apps (C#)

What is Mobile app Obfuscation?

Obfuscation is the process of taking code, and transforming it in a way that makes it difficult or infeasible for an attacker to understand, without changing or impacting how the app functions.

Obfuscating Mobile Apps using without coding

No-code platforms like Appdome enables developers or non-developers to quickly obfuscate native or non-native mobile apps in seconds without touching source code.

  • Flow Relocation
    Modify the application’s compiled code by hiding the logical flow of the code to make reverse engineering an arduous task (without impacting how the app functions).
  • Non-Native Code Obfuscation
    For applications that were developed using a non-native framework such as React-Native, Cordova, or Xamarin, you can obfuscate the non-native code. It’s worth noting that obfuscating non-native code is simply not achievable through manual code changes. This makes appdome the only solution on the market that can obfuscate non-native mobile apps comprehensively and effectively.
  • Strip Debug Information
    Eliminate all descriptive information from the application’s binaries. This information usually includes identifiers (variable and function names) and source code names/line numbers.
    Debug information is often left inside the app after the build process.
  • Encrypt Strings and Resources
    Every application contains (embedded in its code) various string constants such as URLs, tokens, names of files, and so forth. These are a lucrative target for attackers as it gives them a very firm foot-hold on what a specific piece of code is responsible for, not to mention that some strings are valuable information in the own right (such as authentication tokens).
    Appdome re-locates those strings and additional resources, encrypts them, and makes sure they can only be accessed by the application itself. Naturally, if the application has been tampered with, Appdome will not allow access to those strings, thereby foiling attack attempts.

How Do I Learn More?

If you are interested in obfuscating mobile apps, we suggest checking out ONEShield.

ALAN BAVOSA is VP of Security Products at Appdome, a no-code mobile app security and development platform.