|
|
|
|
|
|
by jor-el
2185 days ago
|
|
|
Some I see are surprised to see the level of obfuscation used in the application. Many pointed, many ingredients for the obfuscation used in the app are off-the-shelf and few of them can be said to be well known in the industry, but still there is a cost in integrating them into a product. Obfuscation is notorious in breaking things which should work normally (normal compilation process) and as a own goal making it hard to debug as well. Integrating, testing, debugging and difficulty in debugging production crash logs is a considerable cost. That said, obfuscation is increasingly being used in mobile applications now. Check your banking application or some government applications, you will find obfuscation being used. With mobile applications getting richer and lot of code executing on the client side, makes it compelling case to secure applications by using obfuscation (as a defense-in-depth approach). Open standards like OWASP MSTG [1] MSTG-RESILIENCE-9 recommend such approach. Obfuscation is applied to programmatic defenses, which in turn impede de-obfuscation via dynamic analysis.
[1] https://github.com/OWASP/owasp-masvs/blob/master/Document/0x... |
|
|
Most Android developers lack native coding experience, so after failing attempts to protect their applications with the DEX bytecodes obfuscator, they think that recoding parts of the application with the NDK will save them.
However as this article shows, and most here know, they shortly learn that against good attackers, the only benefit from using native code directly is it takes a little longer to decipher what the application does.
So then one turns to solutions like what you are describing.