1. Code ObfuscationAndroid and Windows Phone 7
Mobile St. Cloud

2. What is it?
Code obfuscation is the process of making code difficult to understand. It helps in discouraging an unauthorized person fromreverse engineering an application to get access to its code without the permission of the author.

3. What it is not?
It is not a way to prevent reverse engineering of code

4. Why should you consider it?
It is very easy to view code that is not obfuscated
Nothing stands in between attacker and code

5. Talk layout
Android
Reverse engineering
obfuscation
Inspect obfuscated code
Windows Phone 7
Reverse engineering
obfuscation
Inspect obfuscated code

6. Android app reverse engineering
To view code in an Android app
.apk-> .dex-> .jar -> code
.apk: App package (xml, images everything)
.dex: dalvik executable (code)

7. Android app reverse engineering contd
Using Dex2jar + jd-gui
Unzip the .apk file to get .dex
Use Dex2jar to get .jar from .dexfile
Unzip and use in command line
dex2jar.bat
Use jd-guito view code from .jar file
Unzip and run exe

8. Android app reverse engineering contd

9. Dex2Jar +jd-gui Example

10. Android Code Obfuscation
ProGuard
The standard tool recommended by Android
Optional but highly recommended
Features
Shrinks
Optimizes
Obfuscates
You get
Smaller size .apk file
App difficult to reverse engineer

11. Android Code Obfuscation contd
Integrated into Android build system
Runs only when the app is built in release mode

12. ProGuard usage
Enable
Make an entry for proguard.config file path in default.properties
relative/absolute
Can move proguard.config and use relative path
In project root directoryby default

13. ProGuard usage contd
Building
Build in release mode
Turn off debugging. Set android:debuggable=false in AndroidManifest.xml in application tag
Export apkfile (Eclipse)
File -> Export -> Export Android Application
Select the project to be exported
Select a keystore
All fields required
Enter key details
First five fields required

14. ProGuard usage contd

15. ProGuardusage contd

16. ProGuard obfuscation example

17. Inspect ProGuard obfuscation
Verify promised features of ProGuard
Size
Optimization
Obfuscation

18. ProGuard settings
There are some custom settings available
If a class is only referenced in the Manifest file, ProGuard will not see it
keep public class

19. WP7 reverse engineering
To view code in a WP7 app
xap -> .dll -> code
.xap: App package (images everything)
.dll: windows dll

20. WP7 reverse engineering contd
Using JustDecompile (telerik) Free
Shows each property and method separately
Class only shows method signatures
Just fire up and open dll

21. WP7 reverse engineering contd

22. JustDecompile example

23. WP7 reverse engineering contd
Using dotPeek (JetBrains) Free
Was still in beta till recently
Just unzip the tool, like Eclipse
Opens up entire class, not separate entries for methods and properties

24. WP7 reverse engineering contd

25. dotPeek example

26. WP7 reverse engineering contd
Other tools
.Net Reflector (redgate) Paid
Used to be free but not anymore

27. WP7 Code Obfuscation
Dotfuscator (Preemptive Solutions)
The standard tool recommended by Microsoft
Obfuscation features
Renaming
Control flow
String encryption
Not just an obfuscation tool, does instrumentation too
Lets you view how your app is being used

28. Dotfuscator usage
Download the installer
Requires registration
Will ask you to enter unique company name
Suggests use your name if you have no company
URL
http://www.preemptive.com/windowsphone7.html

29. Dotfuscator usage contd
Fire up Dotfuscator exe
File -> New Project
Open .xap file to obfuscate
Add new input file (folder icon)
Select the .xap to obfuscate
Package artifacts will not be obfuscated

30. Dotfuscator obfuscation example

31. Thank you
Me
Osman Syed Meer
Linked in
Twitter (osmanmeer)