Mobile Application Obfuscation
Summary
This article explores the obfuscation of mobile application from the angle of reverse-engineering protection. It introduces three different tools that are commonly used to obfuscate Android applications, compares them to each other, and thereby highlights their strengths and weaknesses. By analyzing the behavior of these tools across different applications, this article provides insight into how to balance usability and efficiency of applications, while trying to enhance security.
Introduction to Mobile App Obfuscation
Mobile app obfuscation is a technique used to protect the source code of applications from reverse engineering. By obfuscating code into a form that is more difficult for attackers to understand, obfuscation helps to protect intellectual property and sensitive data. This process is particularly important in the Android development environment, since the APK format makes application much easier to decompile using tools like Jadx. With the growing threat of cybercrime, code obfuscation is becoming an essential aspect of defense, complementing encryption and secure coding practices.
Mobile Obfuscation Tools
Tools play an important role in mobile application obfuscation by automating the process of transforming code into a more secure and less comprehensible form. These tools help developers to protect their applications against reverse engineering without compromising the functionality of the application. By offering several different obfuscation techniques, like identifier renaming, string encryption, and control flow obfuscation, these tools increase the overall security of mobile applications.
- R8: R8 is Google's official tool for code obfuscation in Android applications. It is directly integrated into Android Studio and focuses on optimizing application size and performance while adding minor obfuscation layers. Specifically, R8 offers weak obfuscation methods like identifier renaming and code minification, which change variable, method, and class names and remove non-functional aspects of the code (Comments, etc.) while keeping the functionality of the code intact. This complicates a static analysis, but offers no protection against dynamic analysis and reverse engineering during the app's runtime. However, it's effortless integration with the Android development ecosystem still makes it a very popular choice for developers.
- DashO: DashO is a commercial obfuscation tool. It offers advanced obfuscation techniques like string encryption, and additional anti-tampering mechanisms to protect the application from unauthorized changes. A license for DashO can be obtained at a starting price of 50$ per month. DashO offers no default Android Studio integration, but can be added to Android Studio builds through code modifications.
- Allatori:Allatori is another commercial tool that focuses on Java bytecode obfuscation, and can also be used to obfuscate Android applications. It supports several advanced obfuscation strategies and can, like DashO, be integrated into the Android Studio development process. A license for Allatori costs 290$ as one-time purchase.
Methodology
Obfuscation process
The project behind this article evaluated the impact of the aforementioned obfuscation tools on the performance of mobile applications. For this purpose, the following mobile applications were selected, in order of increasing complexity:
- Markor: A small app to add personal notes.
- K9: A mobile mail-client.
- FastHub: A mobile GitHub-like client.
In the testing process, each of these apps was obfuscated using the three selected tools. For R8, the testing process was integrated into Android Studio directly. For DashO and Allatori, the APKs were processed externally using their UI and command-line integration respectively.
Performance Testing
The obfuscated APKs were tested on an Android emulator to measure several key performance indicators:
- APK size
- Build time
- Startup time
- Memory usage
To ensure consistency and hedge against outliers, each of the tests except for APK size was conducted three times, with the average of these attempts being used for the final comparison.
Testing Environment
The performance tests were conducted using the Android Profiler feature in Android Studio. The Android Profiler is an extensive tool for measuring application behavior. Within Android Profiler, the following features were used to track the selected metrics:
- Capture System Activities
- Track Memory Consumption
This approach provided an understanding of how the selected obfuscation tools affect the performance of the applications, while at the same time highlighting the practical implications and difficulties of integrating these tools into the development process.
Findings and Analysis
The evaluation of R8, DashO, and Allatori revealed their strengths and weaknesses in terms of impact on application performance. While the project successfully tested most combinations of tools and apps, four tests could not be completed due to compatibility issues with DashO and Allatori for certain applications.
Performance Indicators
Across all four chosen metrics, R8 significantly outperformed both DashO and Allatori. This makes sense, considering that R8 is focused on application optimization, as previously mentioned. DashO and Allatori had weaker test results, which can be explained by their focus on obfuscation. The additional layers of obfuscation added by these tools contributed to increasing startup times and larger APK sizes. However, they outperformed R8 in the "Memory usage" metric, which shows that they include better Resource Management in their obfuscation.
Usability and Integration
R8, per default integrated into Android Studio and the Gradle build process, makes it the by far easiest tool to use for Android app development. Its automated configuration is a notable advantage. DashO and Allatori on the other hand required additional setup, which makes them more difficult to integrate in the Android Studio development process. Additionally, both of these tools require commercial licensing, making them less accessible than R8.
Overall, the findings highlight the tradeoffs between security and performance when selecting an obfuscation tool for an application. R8 was found to be the most practical choice for developers focused on optimization and performance rather than obfuscation, while DashO and Allatori offer stronger reverse-engineering protection at the cost of worse performance and additional complexity.