Code Obfuscation for Android & WP7
31
Code Obfuscation Android and Windows Phone 7 Mobile St. Cloud
-
Upload
jeff-bollinger -
Category
Technology
-
view
4.846 -
download
5
description
Code Obfuscation slide deck from 9/1/2011 Mobile St. Cloud meeting.
Transcript of Code Obfuscation for Android & WP7
- 1. Code ObfuscationAndroid and Windows Phone 7
Mobile St. Cloud - 2. What is it?
Code obfuscation is the process of making code difficult to understand. It helps in discouraging an unauthorized person fromreverse engineering an application to get access to its code without the permission of the author. - 3. What it is not?
It is not a way to prevent reverse engineering of code - 4. Why should you consider it?
It is very easy to view code that is not obfuscated
Nothing stands in between attacker and code - 5. Talk layout
Android
Reverse engineering
obfuscation
Inspect obfuscated code
Windows Phone 7
Reverse engineering
obfuscation
Inspect obfuscated code - 6. Android app reverse engineering
To view code in an Android app
.apk-> .dex-> .jar -> code
.apk: App package (xml, images everything)
.dex: dalvik executable (code) - 7. Android app reverse engineering contd
Using Dex2jar + jd-gui
Unzip the .apk file to get .dex
Use Dex2jar to get .jar from .dexfile
Unzip and use in command line
dex2jar.bat
Use jd-guito view code from .jar file
Unzip and run exe - 8. Android app reverse engineering contd
- 9. Dex2Jar +jd-gui Example
- 10. Android Code Obfuscation
ProGuard
The standard tool recommended by Android
Optional but highly recommended
Features
Shrinks
Optimizes
Obfuscates
You get
Smaller size .apk file
App difficult to reverse engineer - 11. Android Code Obfuscation contd
Integrated into Android build system
Runs only when the app is built in release mode - 12. ProGuard usage
Enable
Make an entry for proguard.config file path in default.properties
relative/absolute
Can move proguard.config and use relative path
In project root directoryby default - 13. ProGuard usage contd
Building
Build in release mode
Turn off debugging. Set android:debuggable=false in AndroidManifest.xml in application tag
Export apkfile (Eclipse)
File -> Export -> Export Android Application
Select the project to be exported
Select a keystore
All fields required
Enter key details
First five fields required - 14. ProGuard usage contd
- 15. ProGuardusage contd
- 16. ProGuard obfuscation example
- 17. Inspect ProGuard obfuscation
Verify promised features of ProGuard
Size
Optimization
Obfuscation - 18. ProGuard settings
There are some custom settings available
If a class is only referenced in the Manifest file, ProGuard will not see it
keep public class - 19. WP7 reverse engineering
To view code in a WP7 app
xap -> .dll -> code
.xap: App package (images everything)
.dll: windows dll - 20. WP7 reverse engineering contd
Using JustDecompile (telerik) Free
Shows each property and method separately
Class only shows method signatures
Just fire up and open dll - 21. WP7 reverse engineering contd
- 22. JustDecompile example
- 23. WP7 reverse engineering contd
Using dotPeek (JetBrains) Free
Was still in beta till recently
Just unzip the tool, like Eclipse
Opens up entire class, not separate entries for methods and properties - 24. WP7 reverse engineering contd
- 25. dotPeek example
- 26. WP7 reverse engineering contd
Other tools
.Net Reflector (redgate) Paid
Used to be free but not anymore - 27. WP7 Code Obfuscation
Dotfuscator (Preemptive Solutions)
The standard tool recommended by Microsoft
Obfuscation features
Renaming
Control flow
String encryption
Not just an obfuscation tool, does instrumentation too
Lets you view how your app is being used - 28. Dotfuscator usage
Download the installer
Requires registration
Will ask you to enter unique company name
Suggests use your name if you have no company
URL
http://www.preemptive.com/windowsphone7.html - 29. Dotfuscator usage contd
Fire up Dotfuscator exe
File -> New Project
Open .xap file to obfuscate
Add new input file (folder icon)
Select the .xap to obfuscate
Package artifacts will not be obfuscated - 30. Dotfuscator obfuscation example
- 31. Thank you
Me
Osman Syed Meer
Linked in
Twitter (osmanmeer)