Android Question How secure is obfuscation?

wimpie3 · Mar 2, 2017

How secure is the obfuscation of B4A? I'm storing keys inside my source code needed for communication with my server. What if someone writes a program to de-obfuscate all software written in B4A? Can this happen?

DonManfred · Mar 2, 2017

you can not deobfuscate progrmatically. This is not possible i guess.
BUT a hacker do not need to deobfuscated. He´ll be able to find the right Strings... Even with a weird name.... But Obfuscating does make this a lot heavier for him.

PD: If you have Informatix pro-bundle then you can find a good description on how to secure your app there.

wimpie3 · Mar 2, 2017

I'm not worrying about the names of the variables that are obfuscated, but the CONTENTS of the string.

DonManfred · Mar 2, 2017

It it easy to "see" the content of a string if you mean this...
This applies to all Apps

You need to find other ways to "encrypt" your data. See pro-bundle too (f5steg) for ex.

Erel · Mar 2, 2017

Process globals strings are obfuscated. Check the Java source code and you will see that it is not easy to see the strings.
However a hacker can also decompile the source code and run it with a debugger and then they will have access to all the stored information.

If the server is not using SSL then a hacker could use a network sniffer to see the keys.

wimpie3 · Mar 2, 2017

Erel said:
If the server is not using SSL then a hacker could use a network sniffer to see the keys.

Even if the server uses SSL, this is still possible using a Man-In-The-Middle proxy, something that is easy to do these days. You could use certificate pinning but this introduces all kinds of new problems (like when you renew your certificate, the users have to install a new version of the app or things won't work anymore).

Unless the strings inside B4A are obfuscated with C code (I don't think that is the case, @Erel), I guess there is no way to store keys secretly inside our application.

Informatix · Mar 2, 2017

wimpie3 said:
Unless the strings inside B4A are obfuscated with C code (I don't think that is the case, @Erel), I guess there is no way to store keys secretly inside our application.

Like said above, it is fairly easy to convert the obfuscated strings of B4A to plain text. I explain in my guide why obfuscation is generally a weak protection, whatever language you use. To convert the obfuscated data at runtime, the compiled code always includes a deobfuscation function. A simple call to this function or even a simple Log (or printf or any function appropriate for the used language) can reveal the variable content. And in the case you cannot modify the code, you can trace the execution with some tools or copy the string in a program that will perform the deobfuscation (for B4A, other parameters are required like the package name).
Note there are automatic deobfuscators for strings, e.g. https://github.com/java-deobfuscator/deobfuscator (untested with B4A)
Encrypting your data and preventing the hacker from modifying or debugging your code are the only ways that I know to really protect your in-app data.

wimpie3 · Mar 2, 2017

Encrypting your data: always needs a key... so where do you store that key? Not a single location on the phone is safe!
Prevent a hacker from modifying your code: if you can decompile the app to java code, you can remove this protection as well.

Conclusion: NEVER store keys inside your app. They should be kept elsewhere. Like on a server, but this means the user will need internet access at a certain moment.

Informatix · Mar 2, 2017

wimpie3 said:
Encrypting your data: always needs a key... so where do you store that key? Not a single location on the phone is safe!
Prevent a hacker from modifying your code: if you can decompile the app to java code, you can remove this protection as well.

I know all that HOWEVER it is possible to store safely your data in your app and prevent anyone from modifying or debugging your code. I wrote a guide to explain how.
And there are cases where you cannot do otherwise than storing a key inside the app (e.g you want the app to work without network connection), so all solutions based on an external server are of no use.

DonManfred · Mar 2, 2017

I´ll answer again with the same answer i already gave above:

DonManfred said:
You need to find other ways to "encrypt" your data. See pro-bundle too (f5steg) for ex.

wimpie3 · Mar 2, 2017

Informatix said:
I wrote a guide to explain how.

Do you have a link to that guide?

Informatix · Mar 2, 2017

wimpie3 said:
Do you have a link to that guide?

ProBundle

mrred128 · Mar 5, 2017

The biggest factor of security is time. The longer your data is 'out there' the less secure it becomes. If you include keys with your code, it will not be secure for long. Keeping keys as data files is more secure and changing them often is even more.

As pointed out, obfuscation is only a stumbling block and not much of one for a real hacker.

Informatix · Mar 17, 2017

Today, I came across a site where a hacker explains how to defeat a string encryption method that he found in an app. This method looks very similar to the one used by B4A (in Release(obfuscated) mode) and the hacker provides a tool on Github to decrypt easily these strings.

Erel · Mar 19, 2017

Can you send me a PM with a link to the code?

Informatix · Mar 19, 2017

Sent.

Erel · Mar 19, 2017

It is similar to B4A obfuscation though I don't think that it is identical.

Obfuscation only makes it more difficult to extract strings. A dedicated hacker will be able to deobfuscate the strings quite easily.

Android Question How secure is obfuscation?

wimpie3

Well-Known Member

DonManfred

Expert

wimpie3

Well-Known Member

DonManfred

Expert

Erel

B4X founder

wimpie3

Well-Known Member

Informatix

Expert

wimpie3

Well-Known Member

Informatix

Expert

DonManfred

Expert

wimpie3

Well-Known Member

Informatix

Expert

mrred128

Active Member

Informatix

Expert

Erel

B4X founder

Informatix

Expert

Erel

B4X founder

Similar Threads