2. What is it? Code obfuscation is the process of making code difficult to understand. It helps in discouraging an unauthorized person from reverse engineering an application to get access to its code without the permission of the author.
3. What it is not? It is not a way to prevent reverse engineering of code
4. Why should you consider it? It is very easy to view code that is not obfuscated Nothing stands in between attacker and code
6. Android app reverse engineering To view code in an Android app .apk-> .dex-> .jar -> code .apk: App package (xml, images… everything) .dex: dalvik executable (code)
7. Android app reverse engineering cont’d Using Dex2jar + jd-gui Unzip the .apk file to get .dex Use Dex2jar to get .jar from .dexfile Unzip and use in command line dex2jar.bat <.dex file> Use jd-guito view code from .jar file Unzip and run exe
10. Android Code Obfuscation ProGuard The standard tool recommended by Android Optional but highly recommended Features Shrinks Optimizes Obfuscates You get Smaller size .apk file App difficult to reverse engineer
11. Android Code Obfuscation cont’d Integrated into Android build system Runs only when the app is built in release mode
12. ProGuard usage Enable Make an entry for proguard.config file path in default.properties relative/absolute Can move proguard.config and use relative path In project root directoryby default
13. ProGuard usage cont’d Building Build in release mode Turn off debugging. Set android:debuggable=”false” in AndroidManifest.xml in application tag Export apkfile (Eclipse) File -> Export -> Export Android Application Select the project to be exported Select a keystore All fields required Enter key details First five fields required
18. ProGuard settings There are some custom settings available If a class is only referenced in the Manifest file, ProGuard will not see it keep public class <YourClassName>
19. WP7 reverse engineering To view code in a WP7 app xap -> .dll -> code .xap: App package (images… everything) .dll: windows dll
20. WP7 reverse engineering cont’d Using JustDecompile (telerik) – Free Shows each property and method separately Class only shows method signatures Just fire up and open dll
23. WP7 reverse engineering cont’d Using dotPeek (JetBrains) – Free Was still in beta till recently Just unzip the tool, like Eclipse Opens up entire class, not separate entries for methods and properties
26. WP7 reverse engineering cont’d Other tools .Net Reflector (redgate) – Paid Used to be free but not anymore
27. WP7 Code Obfuscation Dotfuscator (Preemptive Solutions) The standard tool recommended by Microsoft Obfuscation features Renaming Control flow String encryption Not just an obfuscation tool, does instrumentation too Lets you view how your app is being used
28. Dotfuscator usage Download the installer Requires registration Will ask you to enter unique company name Suggests use your name if you have no company URL http://www.preemptive.com/windowsphone7.html
29. Dotfuscator usage cont’d Fire up Dotfuscator exe File -> New Project Open .xap file to obfuscate Add new input file (folder icon) Select the .xap to obfuscate Package artifacts will not be obfuscated