Nearly every attack on a software application begins with reverse engineering the source code to extract or discover useful information, such as trade secrets (IP), credentials, or security vulnerabilities. Open Web Application Security Project (OWASP) puts reverse engineering as one of the top ten application security risks, and readily available tools make it all too easy for attackers to decompile and analyze the code of unprotected apps. While no silver bullet exists to fully prevent a highly motivated and skilled attacker, strong code obfuscation techniques can frustrate and impede hackers to the point where they will abandon their attempts. However, despite OWASP’s recommendation to implement code obfuscation, some developers remain reluctant over concerns that obfuscation will affect app performance.
How can app developers find the optimal balance between security and performance when it comes to obfuscating code?
An overview of obfuscation techniques
First, let’s briefly look at code obfuscation methods. These range from very basic techniques, such as inserting nonsense code and changing method and variable names, to manipulating code in ways that make it difficult for even seasoned hackers to reverse engineer and understand the code’s function or direction of flow. Beyond the basics mentioned above, recommended code obfuscation techniques include:
- Data transformation
- Obfuscating debug information
- Function inlining
- Obfuscating assembly code instructions
- Control flow flattening
- Obfuscating metadata
- Obfuscating Objective-C message calls
- Employing string encryption on all readable strings
- Tampering checks and protections
You can find more detailed information on code obfuscation and other best practices for shielding applications from attacks in our Practical guide to application hardening.
Does obfuscation affect performance?
Before including any security layer, app developers and publishers need to understand the impact it may have on their users’ experience. So does implementing recommended obfuscation protections come with a performance price? In short—sometimes. Basic obfuscation, such as removing debug information, renaming variables and functions has little if any impact on performance; in some cases, it may even reduce the file size. In general, the more potent and complex the obfuscation, the greater the size and performance overhead.
However, even fairly strong obfuscation will incur only a minor runtime penalty, especially if implemented strategically as we will discuss below. Although some performance penalty may occur, the consequences of a successful attack on an applications can be much more devastating, including:
- Loss of revenue and consumer trust
- Theft of data
- Substantial regulatory fines
- Pirating of intellectual property
- Use of apps to commit fraud or steal money directly
Strategies to optimize code obfuscation
Given the severe consequences of leaving your app unprotected, the question becomes not does obfuscation affect performance, but how to optimize obfuscation for maximum application protection and minimum performance impact.
Identify performance-critical and security-critical code
The objective of obfuscation is to make it very difficult to reverse engineer your application. However, not all of your app code contains sensitive data, valuable algorithms, or functions critical to your application’s security. Selectively apply the strongest obfuscation techniques to your most critical code and use less intensive methods on the rest of your application.
Moreover, for some applications, such as audio production tools or media players, performance speed and consistency are essential. However, this performance-optimized code usually comprises a very limited part of the app’s full codebase. Exclude such functions from your obfuscation or apply only light obfuscation.
Some advanced application protection solutions, such as whiteCryption Code Protection, analyze your application’s runtime behavior to identify speed-sensitive functions. This runtime information is then used to automatically adjust protection levels for different parts of the application depending on your security and performance requirements.
Test, adjust, and repeat
You will not be able to get it right on the first try. Therefore, a good performance testing infrastructure is essential for your app. To get the right balance between good obfuscation and acceptable performance, the runtime profiling procedure should be automated and easily repeatable. Ideally, the steps executed during such profiling should be identical in each run. This will enable you to do reliable performance comparison of different editions of your app with varying levels of obfuscation. Your profiling mechanism should cover as much of your application’s functionality as possible, and it should reflect real-life usage as closely as possible. If these requirements are met, obfuscation applied to your app will yield the best results both in terms of security and runtime speed.
The verdict on obfuscation vs. performance
In general, the impact of code obfuscation on an application’s performance, while it does exist, can be controlled and minimized. In comparison to other features of an app, such as loading images, animated graphics, or high detail functions, obfuscation ranks low on the list of things that may be slowing down an app.
Most importantly, code obfuscation is an essential tool in the fight against hackers—when done correctly it proactively deters attacks with no effect on end-user experience.
As an industry leader in application security, Intertrust considers code obfuscation a fundamental protection layer. Our whiteCryption application shielding suite offers a full range of app hardening technologies, including strong code obfuscation algorithms, to keep your assets safe without significantly impacting functionality or adding to development time. To find out more, get in touch with our team today.
About Juris Olekss
A seasoned security professional, Juris has spent more than 17 years in the IT and security industries, with the majority dedicated to software security. Juris currently serves as a Senior Technical Writer for Intertrust’s whiteCryption application shielding solutions.