What is code obfuscation?

Code obfuscation is the process of modifying an executable so that it is useless to a hacker, while remaining fully functional. The functionality of the code remains unchanged, and code obfuscation helps conceal the logic and purpose of an app’s code. Code obfuscation is a standard method to prevent cybercriminals from decompiling and reverse engineering source code, and to protect apps from intellectual property theft.

How does code obfuscation work?

Code obfuscation comprises several techniques that complement each other, creating a layered defence for an app’s source code. The classification of obfuscation techniques depends on the information they target. Some transformations target the lexical structure of the software, while others target the control flow. Some major code obfuscation techniques are data obfuscation, layout obfuscation, and control obfuscation that you can read more about in our App Code Obfuscation Guide. 

JavaScript obfuscation

Hybrid apps written in JavaScript can be more vulnerable to attacks than apps using native languages. Therefore, app providers must actively protect their apps against emerging threats with a strong layer of defence to safeguard critical code. By obfuscating JavaScript code, you hide strings, objects, and variables, making it difficult for cybercriminals to understand your code. It also increases the threshold to carry out reverse engineering attacks.

iOS obfuscation

The most common programming languages for iOS apps, Objective-C and Swift, are compiled to machine code. This has created a misconception that iOS apps are more difficult to reverse engineer. There is mature technology available for reverse engineering machine code. In addition, if someone installs an app on a jailbroken device, Apple’s encryption will not be enough to prevent reverse engineering or app analysis. By using obfuscation methods for your iOS apps, including control flow obfuscation and string obfuscation, you make it harder for cybercriminals to perform reverse engineering.

Android obfuscation

Generally, all code is prone to reverse engineering, but code written in languages allowing dynamic introspection at runtime is at particular risk. Unprotected Android apps can result in intellectual property theft, loss of revenue, and reputational damage. Providers should actively protect their apps against cyberattacks with a strong layer of defence to safeguard critical code. Android obfuscation techniques include renaming class, function and method names, namespace flattening, and code shuffling. For your Android apps, we recommend choosing a security solution that applies multiple obfuscation techniques.

Why you should combine code obfuscation with runtime protection

While obfuscating your app code is an important security measure against reverse engineering and intellectual property theft, it is not enough to protect your apps from all attack scenarios. You need a comprehensive app security solution combining code obfuscation techniques with runtime protection to protect both Android and iOS apps entirely. 

With Promon SHIELD™, your apps are not just relying on obfuscation for security. The solution also monitors runtime behaviour and detects if an app is executing in an insecure environment. Promon SHIELD™ detects code hooks, blocks foreign code injection, and enables your app to modify its behaviour in real time to interrupt attacks. Utilising obfuscation of your app in conjunction with a multi-layered app shielding solution will make your apps less prone to reverse engineering and intellectual property theft.