One of the most frustrating aspects of working as a developer is spending a whole day debugging code—but you soon learn that this is just part of the job. And after all the effort of building, debugging, and deploying your application, the last thing you want is for someone else to capture and reuse all that effort. Thankfully, a common coding practice called code obfuscation can help protect your work. In this article, I will walk you through the basics of code obfuscation.
What is source code obfuscation?
Code obfuscation is the act of deliberately obscuring source code, making it very difficult for humans to understand, and making it useless to hackers who may have ulterior motives. it may also be used to deter the reverse-engineering of software.
Essentially, obfuscation completely alters the source code; nonetheless, it remains functionally equivalent to the original code.
Obfuscation is NOT the same as encryption. The purpose of encryption is to transform data in order to keep it secret from others. The purpose of obfuscation is to make it difficult for humans to understand the data. Encrypted code always needs to be decrypted before execution, while obfuscation does not require that code undergo de-obfuscation to execute it.
How obfuscation works
Code obfuscation consists of several different techniques, each building on top of the other, thus rendering the code unintelligible. Following are a few of the obfuscation techniques that are used.
- Rename Obfuscation: Renaming basically modifies the variable and method names, making the code difficult for a human to understand. However, it still maintains the program execution behavior. This basic technique is most commonly used for Android, Java and IOS obfuscators.
- String Encryption: While the renaming technique simply alters the variable and method names, string encryption intends to encrypt all the strings that are clearly readable. (You should take note that with this technique, decrypting strings at runtime may incur a minor runtime performance penalty.)
- Dummy Code Insertion: This has to do with inserting code into the executable. This technique makes it very difficult for reverse-engineered code to be analyzed. However, the insertions do not affect the logic and/or execution of the program.
Before Obfuscation:
function sayHello(){
console.log("Hello World");
}
sayHello();
After Obfuscation:
var _0x12b3=["\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64","\x6C\x6F\x67"];
function sayHello(){console[_0x12b3[1]](_0x12b3[0])}sayHello()
Why use a code obfuscator?
1. Once you develop an Android app (or any app for that matter), you should aim to make it much more difficult for attackers to review the code and analyze the application.
2. It’s essential to hide business logic and code to make it harder for attackers to gain access and start debugging and tampering with your app. (They often repackage an application with malicious code.)
3. Code obfuscation can drastically reduce file size, and download times can be reduced drastically as well. (Consider JavaScript as an example.)
4. People are making careers out of reverse engineering—Therefore, you want to make it as difficult as possible to deter them.
5. A company developing applications for clients may not want their clients to be able to read them.
Drawbacks of using an obfuscator
1. In some cases, antivirus software such as AVG AntiVirus will alert you when you visit a site that has been obfuscated (as one of the purposes of obfuscation is to hide malicious code). However, in the case where obfuscation has been carried out for security reasons, it may deter users from using or visiting a site.
2. Some of the techniques may negatively affect the performance of algorithms.
The following are some of the tools you can use:
- .NET: Dotfuscator, ILProtector
- JavaScript: Javascript Obfuscator, Jscrambler
- Android: ProGuard
Final thoughts
Although obfuscation can make reading and reverse-engineering a program difficult and time-consuming, it doesn’t make it impossible. It’s important to keep in mind that while code obfuscation does a good job of obscuring source code, there’s no obfuscator that guarantees maximum security. Therefore, in cases where security is of high importance, you’ll want to use other measures, including various encryption schemes.
