Obfuscating Android Apps: Do you know your choices for protection?

Lina Berzinskas
ProAndroidDev

--

PreEmptive participated as a partner in droidcon Berlin, droidcon NYC and droidcon San Francisco in 2019. This article is based on comments, questions and feedback we gathered from discussions with developers at these events. We wanted to summarize our answers in an article to help you understand some of the key differences between ProGuard, DexGuard and DashO which are the three leading obfuscation, code shrinking and code optimization tools.

Protecting your application’s code before shipping is integral to the security of your organization. Companies face threats of hacking and tampering every day and “secure by design” is becoming the new norm. By injecting obfuscation transforms and runtime checks during the build, an application has a layer of defense that makes it harder to decompile. For companies with sensitive customer data or intellectual property, protecting code has become less of an option and more of a standard.

Each time we attend droidcon, we receive questions from Android Devs who have tried ProGuard and DexGuard and are looking for an alternative. We thought it would be beneficial to explain the similarities and differences between the most deployed application protection solutions.

Before diving into a short analysis of the options, here is a quick primer on code obfuscation:

What is Code Obfuscation?

Code Obfuscation is the process of modifying an executable so that it is no longer useful to a hacker but remains fully functional. While the process may modify actual method instructions or metadata, it does not alter the output of the program. On some platforms (such as Java, Android, iOS and .NET) free decompilers can easily reverse-engineer source code from an executable or library in virtually no time and with no effort. Automated code obfuscation makes reverse-engineering a program difficult and economically unfeasible.

Source Code before and after Obfuscation

Why use a Code Obfuscator?

By making an application much more difficult to reverse-engineer, you can protect against trade secret (intellectual property) theft, unauthorized access, bypassing licensing or other controls, and vulnerability discovery.

How does Obfuscation Work?

Code obfuscation consists of many different techniques that can complement each other to create a layered defense. Some typical examples of obfuscation and application security techniques include:

· Rename Obfuscation

· String Encryption

· Control Flow Obfuscation

· Dummy Code Insertion

See more before and after examples

What are the Differences Between the Most Common Tools?

Though this is (by no means) comprehensive, it is useful to highlight basic functional points to help better understand the difference between PreEmptive’s DashO, and GuardSquare’s ProGuard and DexGuard.

Platform support: DashO works on many types of Java and Kotlin applications, including Android. It is part of the larger PreEmptive Protection suite of product that includes Dotfuscator (used to protect Android apps built in .NET via Xamarin) and JSDefender (used to protect Android apps built in JavaScript).

Of the three options, it has the highest platform versatility with the most features.

ProGuard also works on many types of Java apps, but has limited functionality, as noted below. Finally, DexGuard only works on Android applications, and will not work on other types of Java or Kotlin applications.

Features: ProGuard is a free “lite” version of DexGuard. It offers significantly fewer features than both DexGuard and DashO; however, it is easy to configure. ProGuard is built into the Android SDK with some initial automatic configurations. On the downside, ProGuard can only rename symbols and minify — it does not include features like control flow obfuscation, string and resource encryption, or runtime checks.

DashO offers a layered protection approach, combining different obfuscation techniques with runtime checks. Resource encryption was the latest feature to be added to the list. See DashO features.

DexGuard also offers a multi-layered hardening approach with additional transforms that can be “add-ons” to their basic package. Device fingerprinting and secure keyboard are options beyond their basic package.

Developer Support

Full technical support for DashO is available to all customers, at all times — including during the evaluation phase. DexGuard offers “Basic” and “Gold Level” support allowing an organization to choose between an email-only or premium support level.

Developers should carefully evaluate support options as a migration away from ProGuard will require new protection transforms and controls to evaluate, activate, and configure, whether migrating to DexGuard or installing DashO from scratch.

Integration: DashO offers a great user-experience and includes a Project Wizard which automates much of the work of configuring a new project. DashO has a GUI that has built-in rules to prevent misconfiguration and shows class trees to help configure inclusions and exclusions.

DashO Project Wizard walks users through integration

DashO has a GUI that has built-in rules to prevent misconfiguration and shows class trees to help configure inclusions and exclusions.

ProGuard and DexGuard on the other hand, only support text-based configuration. The available GUIs are structured text editors and do not include a Project Wizard. Developers have to rely on copying examples to complete the integration, which can lead to errors.

Finally, Google is phasing ProGuard out of the Android SDK, in favor of their own R8 tool. DashO’s Android Mode is specifically designed to work with R8, so it is a natural and easy upgrade.

Making Updates: DashO is able to inject its protections post-compile, so additional app development is not required when a change needs to be made. While DashO allows you to provide custom code to respond to runtime checks (as seen in the example below), it is not required to get the benefits of those checks.

DexGuard on the other hand has many API-based features that require developers to add API calls and manage library dependencies.

Similarities:

From a feature standpoint, ProGuard is a very lite version and is in a different category than DashO and DexGuard. What do DashO, and DexGuard have in common?

1. They both process compiled Java bytecode, producing new bytecode that has been protected and hardened.

2. They both integrate with Android Gradle builds and use project specific config files.

3. They both allow you to specify inputs, support libraries, entry points, and configuration rules.

Making a decision:

Decisions in choosing software are often made at the intersection of three factors: cost, effectiveness, and speed of integration. Where most decision makers hope to choose two of the three, here is how our choices break down:

ProGuard wins at cost and speed. The tool is already integrated in Android’s SDK and ships in the box at no cost. Unfortunately, the minimal protection it offers, becomes merely an entry to upsell ProGuard’s fuller version of DexGuard . Additionally, Google’s introduction of R8 will continue to move this product from the limelight.

DexGuard wins at effectiveness. It offers an impressive list of features, unfortunately those features come at a high price. Developing a tool that requires 3rd party integration inherently raises costs. Pricing by application is complex to manage and monitor and can unexpectedly raise costs as well. In addition to pricing, DexGuard only works on Android applications and does not support Java and Kotlin.

DashO balances cost, effectiveness and speed of integration. Its platform support offers greater options within the Java space, and the features go hand in hand with Google’s latest R8 updates. DashO’s intuitive “developer focused” design can help organizations keep their source code in house, and adding excellent technical support ensures large and small organizations have the support they need to finish the project.

Summary

If you are releasing an Android app, obfuscation should probably be part of your application development process. The end goal is to add another layer of protection to your application that deters bad actors from getting in without without breaking the app… or your bank account.

For more information on DashO’s features or to try the product yourself visit PreEmptive!

--

--

Helping companies secure their applications one build at a time. Android | Java | JavaScript | .NET