Code Obfuscation for Android & WP7


Published on

Code Obfuscation slide deck from 9/1/2011 Mobile St. Cloud meeting.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Code Obfuscation for Android & WP7

  1. 1. Code ObfuscationAndroid and Windows Phone 7<br />Mobile St. Cloud<br />
  2. 2. What is it?<br />Code obfuscation is the process of making code difficult to understand. It helps in discouraging an unauthorized person from reverse engineering an application to get access to its code without the permission of the author.<br />
  3. 3. What it is not?<br />It is not a way to prevent reverse engineering of code<br />
  4. 4. Why should you consider it?<br />It is very easy to view code that is not obfuscated<br />Nothing stands in between attacker and code<br />
  5. 5. Talk layout<br />Android <br />Reverse engineering <br />obfuscation <br />Inspect obfuscated code<br />Windows Phone 7<br />Reverse engineering<br />obfuscation<br />Inspect obfuscated code<br />
  6. 6. Android app reverse engineering<br />To view code in an Android app<br />.apk-> .dex-> .jar -> code<br />.apk: App package (xml, images… everything)<br />.dex: dalvik executable (code)<br />
  7. 7. Android app reverse engineering cont’d<br />Using Dex2jar + jd-gui<br />Unzip the .apk file to get .dex<br />Use Dex2jar to get .jar from .dexfile<br />Unzip and use in command line<br />dex2jar.bat <.dex file><br />Use jd-guito view code from .jar file<br />Unzip and run exe<br />
  8. 8. Android app reverse engineering cont’d<br />
  9. 9. Dex2Jar +jd-gui Example<br />
  10. 10. Android Code Obfuscation<br />ProGuard<br />The standard tool recommended by Android<br />Optional but highly recommended<br />Features<br />Shrinks<br />Optimizes<br />Obfuscates <br />You get<br />Smaller size .apk file<br />App difficult to reverse engineer<br />
  11. 11. Android Code Obfuscation cont’d<br />Integrated into Android build system<br />Runs only when the app is built in release mode<br />
  12. 12. ProGuard usage<br />Enable<br />Make an entry for proguard.config file path in<br />relative/absolute<br />Can move proguard.config and use relative path<br />In project root directoryby default<br />
  13. 13. ProGuard usage cont’d<br />Building<br />Build in release mode<br />Turn off debugging. Set android:debuggable=”false” in AndroidManifest.xml in application tag<br />Export apkfile (Eclipse)<br />File -> Export -> Export Android Application <br />Select the project to be exported<br />Select a keystore<br />All fields required<br />Enter key details<br />First five fields required<br />
  14. 14. ProGuard usage cont’d<br />
  15. 15. ProGuardusage cont’d<br />
  16. 16. ProGuard obfuscation example<br />
  17. 17. Inspect ProGuard obfuscation<br />Verify promised features of ProGuard<br />Size<br />Optimization<br />Obfuscation<br />
  18. 18. ProGuard settings<br />There are some custom settings available<br />If a class is only referenced in the Manifest file, ProGuard will not see it<br />keep public class <YourClassName><br />
  19. 19. WP7 reverse engineering<br />To view code in a WP7 app<br />xap -> .dll -> code<br />.xap: App package (images… everything)<br />.dll: windows dll<br />
  20. 20. WP7 reverse engineering cont’d<br />Using JustDecompile (telerik) – Free<br />Shows each property and method separately<br />Class only shows method signatures<br />Just fire up and open dll<br />
  21. 21. WP7 reverse engineering cont’d<br />
  22. 22. JustDecompile example<br />
  23. 23. WP7 reverse engineering cont’d<br />Using dotPeek (JetBrains) – Free<br />Was still in beta till recently<br />Just unzip the tool, like Eclipse<br />Opens up entire class, not separate entries for methods and properties<br />
  24. 24. WP7 reverse engineering cont’d<br />
  25. 25. dotPeek example<br />
  26. 26. WP7 reverse engineering cont’d<br />Other tools<br />.Net Reflector (redgate) – Paid<br />Used to be free but not anymore<br />
  27. 27. WP7 Code Obfuscation<br />Dotfuscator (Preemptive Solutions)<br />The standard tool recommended by Microsoft<br />Obfuscation features<br />Renaming<br />Control flow<br />String encryption<br />Not just an obfuscation tool, does instrumentation too<br />Lets you view how your app is being used<br />
  28. 28. Dotfuscator usage<br />Download the installer<br />Requires registration<br />Will ask you to enter unique company name<br />Suggests use your name if you have no company<br />URL<br /><br />
  29. 29. Dotfuscator usage cont’d<br />Fire up Dotfuscator exe<br />File -> New Project<br />Open .xap file to obfuscate<br />Add new input file (folder icon)<br />Select the .xap to obfuscate<br />Package artifacts will not be obfuscated<br />
  30. 30. Dotfuscator obfuscation example<br />
  31. 31. Thank you<br />Me<br />Osman Syed Meer<br />Linked in<br />Twitter (osmanmeer)<br />