Source Code Obfuscation Security Techniques—Tools of The Trade
Every day the number and range of methodologies and malicious programs hackers use to gain unauthorized access to devices and personal information increases. Fortunately, the companies who make up the online world, and the security professionals that support them, have their own arsenal of tools to fight back.
One of the most important weapons available to developers and security teams in the war against application piracy, device infiltration, code injection, and other malicious acts, is source code obfuscation. Knowing how to obfuscate code is one of the primary defenses against hackers, delaying or preventing them from getting a clear image of an application’s code. Source code obfuscation tools use a variety of techniques to make code confusing and unreadable. Having a clear strategy on how to obfuscate code, using overlapping techniques, helps to mitigate the risk from decompilers and hackers whose intent is to reverse engineer a program.
To give a better idea of how obfuscation in programming works, here are some of the most common obfuscation security techniques used by developers around the world.
How Source Code Obfuscation Works
1. Data Transformation
An important element of source code obfuscation is transforming the data processed by the program into another form, which has a minimal effect on the performance of the code, but makes it harder for hackers to break it down or reverse engineer.
Examples of how to obfuscate code in this way include using the binary form of numbers to make source code more complex, changing the form in which data is stored, or replacing a value with an expression.
2. Code Flow Obfuscation
By changing the control flow of the code, the orientation of the code is changed. This means that although the final results are the same, it takes a lot longer to understand why the code takes a certain direction or where it is going.
Control flow obfuscation in programming can be performed by altering the order of program execution statements, changing the control graph by inserting arbitrary jump instructions, and converting tree-like conditional constructs into flat switch statements as shown in the following diagram.
3. Address Obfuscation
This technique, used by some source code obfuscation security tools, alters the addresses of program data and code to create unpredictability and make it more difficult to exploit. When an application is built, the obfuscation algorithm randomizes the absolute locations of some code and data in memory, and the relative distances between different data items. This not only reduces the likelihood of successful attacks, it also means that even if a hacker is successful on one application or device, they will not be able to replicate it on others, reducing the benefit of reverse engineering a program.
4. Regular Renewal of Obfuscated Code
This technique proactively prevents attacks by regularly issuing updates of obfuscated software, frustrating hacker attempts to crack the system. By occasionally replacing existing software with newly obfuscated instances, an attacker is forced to abandon their existing analysis. In the end, the effort of breaking through the obfuscation security exceeds the value gained.
5. Objective-C Message Call and Metadata Obfuscation
Source code obfuscation tools such as Intertrust’s application shielding solution, obfuscate Objective-C code in two ways. First, they obfuscate plain text message calls contained within the source code to ensure they are not easily readable and editable. Second, they encrypt some of the Objective-C metadata to conceal sensitive information from static analysis tools such as names of categories, classes, methods, protocols, class properties and instance variables, as well as method arguments and their types. The encrypted data is only decrypted at runtime when the obfuscated application is loaded.
6. Obfuscation of Assembly Code Instructions
Transforming and altering the assembly code can render it more difficult to reverse-engineer. One such method is to use overlapping assembly instructions (also known as “jump-in-the-middle” method) that hide code within other code, causing a disassembler to produce incorrect output. Assembly code can also be strengthened against penetration through the inclusion of unnecessary control statements and garbage code.
7. Obfuscating Debug Information
Debug information can be used for reverse engineering a program to discover its source code through decompiling and recompiling a program’s code. That’s why it’s important to block unauthorized access and debugging. Source code obfuscation tools accomplish this by changing line numbers and file names in debug data, or removing debug information altogether.
Source Code Obfuscation in Programming Helps Combat Hacking
Attacks on software, applications, and even home IoT devices are a constant. Attacks are growing as more of our personal lives and valuable data and information move online. Understanding or knowing how to obfuscate code is a key element of our defense against hackers and other bad actors. For companies looking to protect their intellectual property and the data of their customers, source code obfuscation and effective source code obfuscation tools are among the most powerful weapons in their arsenal.
Even for open source software, it’s essential to maintain trusted environments for communication, storage, and transfer of data. That’s why Intertrust has focused its resources and experience on developing and employing industry-leading source code obfuscation techniques in its flagship whiteCryption application security solution. whiteCryption Code Protection and Secure Key Box form part of an overall application hardening package that keeps valuable information such as cryptographic keys, proprietary algorithms, and user data secure.
About Juris Olekss
A seasoned security professional, Juris has spent more than 17 years in the IT and security industries, with the majority dedicated to software security. Juris currently serves as a Senior Technical Writer for Intertrust’s whiteCryption application shielding solutions.