By Matthew Loong
What is Code Obfuscation?
Code obfuscation is the act of "mixing up" and "masking items" in a source code to make it harder for a person to reverse engineer and modify the code. Unless the code is intended to be open source, obfuscation should be a key step for any developer worth his salt. Obfuscation is also used maliciously to prevent malware from being detected by anti-virus solutions.
There are many techniques to obfuscate code, which are represented in the tree diagram below.
Source: Springer - Xu, Zhou, Ming, Lyu
Demonstrating Obfuscation on a .NET DLL File
I will demonstrate how code is obfuscated and highlight the characteristics observed after obfuscation.
1. Build DLL
I first build the target dll with Visual Studio using an arbitrarily chosen C# file called Utility.Security.
2. Obfuscate DLL
Next, I obfuscate the code using tool ConfuserEx, which can be found in the link below. As you can see from ConfuserEx's interface, obfuscating protections are progressively layered on the dll file.
3. Decompile DLL
To compare the differences between an unobfuscated file and an obfuscated file, we decompile them respectively using dotPeek by JetBrains.
Unobfuscated
Obfuscated
As you can see above, the IL code is not available, which means that the decompiler is unable to re-create control flow of the code.
Further examining the decompiled codes above (left - unobfuscated, right - obfuscated), we observe that strings, such as the hardcoded encryption keys in this case, are encrypted post-obfuscation.
In addition, there is name obfuscation, XOR masking and method call redirection.
Comparing the unobfuscated assembly with the obfuscated assembly above, we can also see that there are more complicated instructions in the obfuscated assembly.
Additional Protection
While the above serves as a reasonable protection, using an even more aggressive obfuscator will prevent decompiling. Other further obfuscation techniques include, compression, virtualization and using symbol files.
FAQs
Obfuscation application makes the code unreadable, demotivates hackers from advancing in their malicious attempts, and protects the mobile application from the inside by alerting the app's stakeholders about a potential security threat.
How effective is obfuscation? ›
JavaScript Obfuscation can make it extremely difficult for hackers to reverse-engineer, analyze and exploit the application. Advanced obfuscation techniques include control flow alteration, literal transformation, property access transformation and local declaration mangling.
What is the disadvantage of code obfuscation? ›
In some cases, malicious actors include vendor-specific techniques. Another disadvantage of obfuscation is it can make code more difficult to read. For example, code that uses the string encryption obfuscation method requires decryption of the strings at runtime, which slows performance.
What is the best obfuscation method? ›
Top data obfuscation methods
Three of the most common techniques used to obfuscate data are encryption, tokenization, and data masking. Encryption, tokenization, and data masking work in different ways. Encryption and tokenization are reversible in that the original values can be derived from the obfuscated data.
Is code obfuscation worth it? ›
The benefits of code obfuscation are numerous: It defends open-source code information and data. It can eliminate debugging loopholes. It slows down hackers trying to re-engineer programs and applications.
Why is obfuscation not as secure as encryption? ›
Encryption provides confidentiality for sensitive information by converting code into ciphertext, making it unreadable to anyone who does not have the decryption key. Obfuscation, on the other hand, does not provide confidentiality, as the code remains in a readable form, just more difficult to understand.
What is better security through obfuscation? ›
In security engineering, security through obscurity is the practice of concealing the details or mechanisms of a system to enhance its security. This approach relies on the principle of hiding something in plain sight, akin to a magician's sleight of hand or the use of camouflage.
What is an example of security through obfuscation? ›
Companies like Google employ software developers who use JavaScript obfuscation to protect intellectual property and make their code harder to read, which also reduces file size for efficiency.
What are the advantages of code obfuscation? ›
Code obfuscation makes it tough for hackers to figure out how the app works, so they can't easily find ways to break in and steal data. Cryptographic safety: When you use encryption to keep things safe, obfuscation can make sure the encryption stays strong.
Does code obfuscation use encryption? ›
Code encryption is one of many tactics employed in code obfuscation. Obfuscation attempts to make a program hard for human readers to understand. Programmers typically obfuscate code to protect intellectual property and prevent the reverse engineering of proprietary software.
Obfuscation rules define what logs to apply obfuscation actions to. Obfuscation rule actions define what attributes to look at, what text to obfuscate, and how to obfuscate (either by masking or hashing). Obfuscation expressions are named regular expressions identifying what text to obfuscate.
What is the fallacy of obfuscation? ›
An Example of Obfuscation Fallacy
It allows you to say "you're wrong" but leaves the other person thinking you said "you're right". Deliberately clouding the message to help press home a point or to avoid answering a difficult question means you are committing the Obfuscation Fallacy.
How to make your code unreadable? ›
Single Letter Variable Names
If you call your variables a, b, c, then it will be impossible to search for instances of them using a simple text editor. Further, nobody will be able to guess what they are for.
What is the best code obfuscation software? ›
Some of the best code obfuscation tools include ProGuard for Java bytecode, DexGuard for Android applications, ConfuserEx for . NET assemblies, Dotfuscator, and SmartAssembly. These tools offer features like renaming, string encryption, and control flow obfuscation to make reverse engineering more challenging.
Can you reverse obfuscation? ›
The difference between the original code and the obfuscated code are then analyzed. The results show that it is possible to reverse engineer obfuscated code but some parts.
Is obfuscation security through obscurity? ›
Obfuscation IS at least partly security through obscurity. However, that doesn't mean it's a bad idea. The thing is, security by obscurity is an often-misunderstood term. Here's an example.
