Code obfuscation is the process of transforming code so that it’s difficult to understand and analyze, but in such a way that it remains fully functional. Code obfuscation follows the logic of “security through obscurity,” meaning that the more time-consuming and complicated it is to unravel obfuscated code, the less worthwhile it is for hackers to try to reverse engineer it.
Although code obfuscation is not required in every case, it is a fundamental part of the security toolkit that developers rely on to keep their software and applications safe. And it is absolutely essential in situations where valuable data or logic is being run in unsafe or unknown environments.
The benefits of code obfuscation
Code obfuscation provides multiple security benefits, although the extent of protection depends upon the strength and variety of the obfuscation techniques employed. These include:
- Hiding and confusing the logic and purpose of code to prevent tampering and reverse engineering
- Concealing information that can be used in further attacks, such as debug information, log messages, and strings displayed to the user
- Securing valuable intellectual property, such as proprietary algorithms or licensed technology or content
- Hardening potential attack points by obscuring security flaws and vulnerabilities so they can’t be exploited
Techniques used for code obfuscation
Code obfuscation is a broad term that covers any attempt at disguising the true purpose of code. There are numerous obfuscation techniques of varying complexity and effectiveness, and several free tools exist that allow anyone to apply basic obfuscation to their code. These elementary methods involve:
- Renaming variables and functions: In software code, standard command functions can be renamed to hide their purpose. For example, instead of a function name “checkLicense()” you could write “a83ci2()”; or instead of having a variable “passwordHash” you could write “mxs7kd21”. While you wouldn’t want to write a program in this manner, you can use simple renaming tools to accomplish this effect before distributing your code.
- Adding meaningless statements: Security professionals can confuse and delay attackers by adding code that performs some minor computations but doesn’t actually impact any of the final output. As a result, a hacker will waste time trying to understand or factor in elements that don’t give them any value. There is a possibility, however, that the extra code statements can slow down overall process execution.
- Removing debug data and unused metadata: Debugging data and metadata are important for users to investigate why a program worked incorrectly or crashed. However, this information can also be used by hackers to analyze the code and tamper with the execution logic. Ensuring that this data is not available makes it more difficult for them to do so.
- Inserting decoy logic: This involves creating non-trivial conditional statements that ultimately evaluate to a fixed value. This superfluous logic does not change the behavior of your application, but can be very confusing to disassemblers.
However, there are significant limitations to what these free tools can do. They tend to employ fairly basic obfuscation methods. Moreover, since hackers have realized their popularity, they have focused on understanding and circumventing the techniques they use. The free tools available also pose issues for companies creating applications across multiple platforms, as this requires different tools for each platform, increasing the workload and development time.
Using advanced code obfuscation
Though basic obfuscation methods will slow down and even deter certain hack attempts, they are not robust enough to fend off concerted attacks by determined actors. For apps that handle valuable or sensitive data, app security needs to be paramount. Not only are credit card details and health records more prone to attack, but failure to implement proper security protocols can be extremely damaging for the company involved, particularly in terms of regulatory fines and reputation.
In such cases, more advanced code obfuscation methods are required. These techniques are more difficult and expensive to implement, involving a highly specific skill set. Generally, they require an external vendor specializing in code obfuscation and application hardening, rather than relying on in-house development.
Examples of advanced obfuscation techniques include:
- Control flow obfuscation: Understanding the logical flow of code in an application is essential for analyzing how it works. Changing the order in which statements are executed, inserting arbitrary jump instructions, and reshaping tree-like conditional constructs into flat switch statements force attackers to follow an extremely convoluted flow, severely frustrating their efforts.
- Binary code encryption: Hackers use static analysis tools to examine an application’s code and understand how it works. Segments of the binary code can be encrypted and only decrypted during runtime to protect the program from these attacks.
- Function inlining: Function calls are replaced with the function body, meaning all of the function must be read or processed to be identified, obscuring the flow and function of code.
- White box cryptography: This technique focuses on securing the most important information on an application: its cryptographic keys. A white-box implementation of a cryptographic algorithm sees this vital information executed in an obscure environment that hides the internal key data and logic.
What to do next?
For any application developer or vendor, evaluating their software’s security status is essential for understanding where security gaps exist and how they can be eliminated. Ask yourself the following questions:
- What sensitive data or logic does your application contain?
- What regulatory and reputational risks would you be exposed to by a data breach?
- Will the application be executed outside of your secure development environment, i.e., on mobile devices or online?
- What security protocols have been implemented for your software, and are these exhaustive?
Employing basic code obfuscation techniques or using free online tools may be sufficient for low value applications. However, any commercial application that will be widely distributed and contains either intellectual property or sensitive data needs a higher level of security through advanced obfuscation. Many firms in this situation turn to an experienced third-party application protection vendor that can address their security needs.
Intertrust helps companies of all sizes bring their application or device software to a market-ready security level. Our industry-leading whiteCryption software security products are used in hundreds of thousands of applications worldwide. whiteCryption Code Protection provides enterprise grade obfuscation and in-app protection that is easy to apply and works across all major platforms. Our advanced white-box cryptography solution, whiteCryption Secure Key Box, keeps cryptographic keys at all times, even when running in an exposed environment.
About Juris Olekss
A seasoned security professional, Juris has spent more than 17 years in the IT and security industries, with the majority dedicated to software security. Juris currently serves as a Senior Technical Writer for Intertrust’s whiteCryption application shielding solutions.