Every day the number and range of methodologies and malicious programs hackers use to gain unauthorized access to devices and personal information increases. Fortunately, the companies who make up the online world, and the security professionals that support them, have their own arsenal of tools to fight back.
One of the most important weapons available to developers and security teams in the war against application piracy, device infiltration, code injection, and other malicious acts, is code obfuscation. Without it, bad actors would have a much easier time attacking devices and stealing personal information and intellectual property.
Code obfuscation uses a variety of techniques to make source code confusing and unreadable. Knowing how to obfuscate code may help mitigate the risk from decompilers and frustrate hackers whose intent is to reverse engineering a program, since the decompiled code is rendered unintelligible.
Here are some of the most common code obfuscation techniques used by developers around the world.
How to Obfuscate Code
1. Data Transformation
One of the most important elements of code obfuscation is transforming data processed by the program into another form, which has a minimal effect on the performance of the code, but makes it hard for hackers to break down or reverse engineer it.
Examples include using the binary form of numbers to make source code more complex, changing the form in which data is stored, or replacing a value with an expression.
2. Code Flow Obfuscation
By changing the control flow of the code, the orientation of the code is changed. This means that although the final results are the same, it takes a lot longer to understand why the code takes a certain direction or where it is going.
Control flow obfuscation can be performed by altering the order of program execution statements, changing the control graph by inserting arbitrary jump instructions, and converting tree-like conditional constructs into flat switch statements as shown in the following diagram.
3. Address Obfuscation
This technique alters the addresses of program data and code to create unpredictability and make it more difficult to exploit. When an application is built, the obfuscation algorithm randomizes the absolute locations of some code and data in memory, and the relative distances between different data items. This not only reduces the likelihood of successful attacks, it also means that even if a hacker is successful on one application or device, they will not be able to replicate it on others, reducing the benefit of reverse engineering a program.
4. Regular Renewal of Obfuscated Code
This technique proactively prevents attacks by regularly issuing updates of obfuscated software, frustrating hacker attempts to crack the system. By occasionally replacing existing software with newly obfuscated instances, an attacker is forced to abandon their existing analysis. In the end, the effort of breaking code exceeds the value gained.
5. Objective-C Message Call and Metadata Obfuscation
Security tools such as Intertrust’s integrated software protection solution, obfuscate Objective-C code in two ways. First, they obfuscate plain text message calls contained within the source code to ensure they are not easily readable and editable. Second, they encrypt some of the Objective-C metadata to conceal sensitive information from static analysis tools such as names of categories, classes, methods, protocols, class properties and instance variables, as well as method arguments and their types. The encrypted data is only decrypted at runtime when the obfuscated application is loaded.
6. Obfuscation of Assembly Code Instructions
Transforming and altering the assembly code can render it more difficult to reverse-engineer. One such method is to use overlapping assembly instructions (also known as “jump-in-the-middle” method) that hide code within other code causing a disassembler to produce incorrect output. Assembly code can also be strengthened against penetration through the inclusion of unnecessary control statements and garbage code.
7. Obfuscating Debug Information
Debug information can be used for reverse engineering a program to discover its source code thorough decompiling and recompiling a program’s code. That’s why it’s important to block unauthorized access and debugging. This can be accomplished by changing line numbers and file names in debug data, or removing debug information altogether.
Code Obfuscation Helps Combat Hacking
Attacks on software, applications, and even home IoT devices are a constant. Attacks are growing as more of our personal lives and valuable data and information move online. Understanding or knowing how to obfuscate code is a key element of our defense against hackers and bad actors. For companies looking to protect their intellectual property and the data of their customers, code obfuscation is one of the most powerful tools in their arsenal.
Even for open source software, it’s essential to maintain trusted environments for communication, storage, and transfer of data. That’s why Intertrust has focused its resources and experience on developing and employing industry-leading code obfuscation techniques in its flagship whiteCryption security solution. whiteCryption Code Protection and Secure Key Box form part of an overall application hardening package that keeps valuable information such as cryptographic keys, proprietary algorithms, and user data secure.
About Juris Olekss
A seasoned security professional, Juris has spent more than 17 years in the IT and security industries, with the majority dedicated to software security. Juris currently serves as a Senior Technical Writer for Intertrust’s whiteCryption application shielding solutions.