Prevention of APK Reverse Engineering – Implementing DexGuard for Oracle Siebel Cross-platform Mobile App

RapidValue

Share

php programming – programmer working on new website development. there is no copyright risk on code visible on monitor.

Developing enterprise mobile applications necessitate several factors to be considered starting with business requirements, authentication mechanisms, mobile app performance and security. A thorough security audit is needed to ensure code security. Needless to mention, code security is of utmost importance while developing an enterprise mobile application.

This article is based on a project, I worked on recently. The blog addresses some of the recommendations and concerns to be addressed while implementing DexGuard for Oracle Siebel cross-platform mobile application.

App Integration with Oracle Siebel CRM

I implemented a tool, Dexguard for a mobile application for code security. With this implementation, the issues could be addressed to a great extent using the R&D mechanism and by identifying a new tool.

The recently developed cross-platform mobile app (built on Cordova) integrated to Oracle Siebel CRM system, where the client had a specific requirement. The client wanted to avoid the reverse engineering of the Android Build (APK aka Android Package).The client, being one of the leading telecom service providers, for them code security was one of their major concerns. In order to ensure that the application is both dependable and secure, the code had to be concealed from any individual who tried to reverse engineer or decompile the package.

The Research

The requirement was clear. The codebase that was written, had was not to be revealed. This meant that there was a dire need  to obfuscate the native Android code. A small study was conducted and it was found that native Android application developers used ProGuard to achieve the same. ProGuard is an optimizer tool which can be used to shrink and optimize the Java Bytecode and provide enhanced performance to the final build/package. The app was developed using Apache Phonegap (Cordova) cross-platform technology which supports both iOS and Android.

Feasibility Check in a Cordova Application

A critical question that arose was, “can developers go with ProGuard for a Cordova application?” and the answer was positive. After all, Cordova runs on a native layer, hence, developers can implement ProGuard in Cordova plugin. But how about the level of obfuscation that needs to be achieved?” The compatibility and feasibility check provided the answers.

What started was integrating ProGuard to the Android Application. The procedure to integrate was simple and effective. There were some more questions regarding the output which needed to be answered. Was obfuscation easy in an Android application? What will be achieved if this works?

It took few hours to get to know about ProGuard and its integration to the project via Gradle. ProGuard enabled build was ready to be worked upon.  ProGuard build was installed to the device and within no time of launching the application, the application ended up crashing. This was not expected. 

Developers checked through the device logs to find the root cause for the crash.

Around 30 native plugins were installed and nobody was sure which native code had caused this crash. None of these native codes were written by the developers. It was quite difficult to start learning each and every line of code of these native plugins.

After spending a lot of time on ProGuard, developers found that adding rules to the ProGuard will do the needful but still, they were not sure how to proceed as one should be familiar with the native code to add the rules.

Configuring ProGuard with Mobile Application

Rules are configurations which defines how ProGuard should behave with the native code. One can add a rule to exclude obfuscation to a particular Java class or change the level of obfuscation. The following is an example.

-keep public class * extends com.yourapp.AppActivity

Adding this rule will let ProGuard know that the AppActivity class shouldn’t be obfuscated.

One major outbreak in this research was avoiding the core Cordova classes from obfuscation. The following rule had to be added to avoid crashing of the app.

-keep public class org.apache.cordova.** { *; }

Reason: ProGuard obfuscates core Cordova classes and MainActivity (The very first activity which gets invoked while application is launched). At Runtime, Cordova plugin fails to create the web view as it cannot find the reference classes since, they are already obfuscated.

Hence, we  managed to add few rules and build a ProGuard enabled package. But the approach did not seem to be much convincing. It was visible and evident that the code was not obfuscated properly.

Upgrade from ProGuard to DexGuard for Better Code Obfuscation

This drawback had repercussions. Developers were keen on finding more tools which would prove to be more efficient and time saving since they had already spent a lot of time on ProGuard. This search resulted in discovering a licensed tool called ‘DexGuard.

What is DexGuard and how is it Different from ProGuard?

This is an important question and some of the probable ‘non-technical’ answers are provided below.

  • DexGuard handles dynamic reference to classes. ProGuard doesn’t.
  • DexGuard provides multiple levels of encryption and obfuscation. ProGuard provides only minimal obfuscation.
  • DexGuard processes all components of application and ProGuard works only on Bytecode.

For more detailed ‘technical’ differences between DexGuard and ProGuard from the link.

Requirements for Getting a Licensed Version

DexGuard works as per the package name provided to the DexGuard team. Hence, you have to make sure that the package name you share is correct. The e-mail id provided will be used for communication purposes and it grants you the access to a developer console.

Integration of DexGuard Library with Application

Once the payment is completed for licensed version, you can get access to a developer console where you can download the documentation and libraries of DexGuard. DexGuard gives access to numerous configurations, each having its own behavior. There is no complexity in the integration part as DexGuard pack comes with various examples which are well-drafted and features clear documentation.

Results after Integrating DexGuard

dexguard

This is the result obtained after integrating DexGuard. The requirement is ‘closed’, hereafter. Thanks to DexGuard for the app size is decreased by 20% now and works perfectly fine.
DexGuard the team could achieve full prevention of APK decompilation. Though there is a general perception that you cannot prevent 100% APK decompilation, (which is to some extent true) you can get better results while achieving almost full prevention by using DexGuard.

Valuable Inputs Inferred from the Application Process

  • Obfuscation of code is always a good practice. ProGuard is recommended from the initial stages of the application itself. This will make the process less time consuming and save much effort.
  • Get familiarized with decompiling tools like APKtool. This will be handy.
  • For enterprise applications, DexGuard is a worthy tool without a doubt as the level of obfuscation attained is more than ProGuard (which provides a basic level of obfuscation).

Conclusion

ProGuard, properly configured is used extensively to obfuscate the code. This makes it harder to reverse engineer Android APK. DexGuard (which is the extended version of ProGuard) is the commercial version that provides advanced security to protect Android applications. It’s a tool which is specialized for Android applications and libraries. DexGuard supports optimization and obfuscation of manifest file, resource files, asset files and native libraries while proving extremely effective in preventing APK reverse engineering.

By,
Ramchand Br, Senior Software Engineer, RapidValue

How can we help you?