- Source code obfuscation is the practice of modifying code to make it harder to understand.
- Obfuscation is an important tool for increasing the security of software applications.
- There are a number of source code obfuscation techniques that cyber security professionals deploy.
- The most common source code obfuscation techniques include data transformation, code flow obfuscation, string and address obfuscation, and obfuscation of assembly code instructions.
Source code obfuscation techniques—Tools of the trade
Every day the number and range of methodologies and malicious programs hackers use to gain unauthorized access to applications, devices, and personal information increases. Often software code itself provides the entry point for attack. In 2020, a full 35% of breaches could be traced to scanning for and exploiting code vulnerabilities, making it the single most common initial infection vector, even ahead of phishing. Fortunately, the security professionals who are tasked with protecting the online world have their own arsenal of tools to fight back.
One of the most important weapons available to developers and security teams in the war against application piracy, device infiltration, code injection, and other malicious acts, is source code obfuscation. But what is source code obfuscation and what does it mean in a software development context? Here we’ll take a closer look.
What is source code obfuscation?
Source code obfuscation transforms application source code to make it more difficult and time-consuming to understand, without affecting the program’s execution. Source code obfuscation tools use a variety of techniques to make code indecipherable to hackers so they cannot discover vulnerabilities, steal keys, data, or IP, or find other ways to compromise applications. Having a clear strategy on how to obfuscate code, using overlapping techniques, helps to mitigate the risk from decompilers and attackers trying to reverse engineer a program. OWASP lists reverse engineering as a top threat to application security as it provides the launching pad for most types of attacks.
To give a better idea of how obfuscation in programming works, here are some of the most common obfuscation security techniques used by developers around the world.
Seven common source code obfuscation techniques
1. Data transformation
An important element of source code obfuscation is transforming the data processed by the program into another form, which has a minimal effect on the performance of the code, but makes it harder for hackers to break it down or reverse engineer.
Examples of how to obfuscate code in this way include using the binary form of numbers to make source code more complex, changing the form in which data is stored, or replacing a value with an expression.
2. Code flow obfuscation
By changing the control flow of the code, the orientation of the code is changed. This means that although the final results are the same, it takes a lot longer to understand why the code takes a certain direction or where it is going.
Control flow obfuscation in programming can be performed by altering the order of program execution statements, changing the control graph by inserting arbitrary jump instructions, and converting tree-like conditional constructs into flat switch statements as shown in the following diagram.
3. Address obfuscation
This technique, used by some source code obfuscation security tools, alters the addresses of program data and code to create unpredictability and make it more difficult to exploit. When an application is built, the obfuscation algorithm randomizes the absolute locations of some code and data in memory, and the relative distances between different data items. This not only reduces the likelihood of successful attacks, it also means that even if a hacker is successful on one application or device, they will not be able to replicate it on others, reducing the benefit of reverse engineering a program.
4. Regular renewal of obfuscated code
This technique proactively prevents attacks by regularly issuing updates of obfuscated software, frustrating hacker attempts to crack the system. By occasionally replacing existing software with newly obfuscated instances, an attacker is forced to abandon their existing analysis. In the end, the effort of breaking through the obfuscation security exceeds the value gained.
5. Objective-C message call and metadata obfuscation
Source code obfuscation tools such as Intertrust’s application shielding solution, obfuscate Objective-C code in two ways. First, they obfuscate plain text message calls contained within the source code to ensure they are not easily readable and editable. Second, they encrypt some of the Objective-C metadata to conceal sensitive information from static analysis tools such as names of categories, classes, methods, protocols, class properties and instance variables, as well as method arguments and their types. The encrypted data is only decrypted at runtime when the obfuscated application is loaded.
6. Obfuscation of assembly code instructions
Transforming and altering the assembly code can render it more difficult to reverse-engineer. One such method is to use overlapping assembly instructions (also known as “jump-in-the-middle” method) that hide code within other code, causing a disassembler to produce incorrect output. Assembly code can also be strengthened against penetration through the inclusion of unnecessary control statements and garbage code.
7. Obfuscating debug information
Debug information can be used for reverse engineering a program to discover its source code through decompiling and recompiling a program’s code. That’s why it’s important to block unauthorized access and debugging. Source code obfuscation tools accomplish this by changing line numbers and file names in debug data, or removing debug information altogether.
Source code obfuscation in programming helps combat hacking
Attacks on software, applications, and even home IoT devices are a constant. Attacks are growing as more of our personal lives and valuable data and information move online. Understanding or knowing how to obfuscate code is a key element of our defense against hackers and other bad actors. For companies looking to protect their intellectual property and the data of their customers, effective source code obfuscation and tools that apply source code obfuscation and other embedded application protections are among the most powerful weapons in their arsenal.
Intertrust has focused its resources and experience on developing and employing industry-leading source code obfuscation techniques in its flagship whiteCryption application security solution. whiteCryption Code Protection and Secure Key Box form part of an overall in-app protection package that keeps valuable information such as cryptographic keys, proprietary algorithms, and user data secure.
About Juris Olekss
A seasoned security professional, Juris has spent more than 17 years in the IT and security industries, with the majority dedicated to software security. Juris currently serves as a Senior Technical Writer for Intertrust’s whiteCryption application shielding solutions.