Protect Android App against reverse engineering

A simple way to attack an Android App is to decompile the APK and read the Bytecode to retrieve interesting Strings such as: URLs, API secrets, user name, passwords…

The following picture show you a simple example of Bytecode obtain by decompiling an Android sample App with the famous apktool program. As you can see, you can easily in few minutes get et secret key 😈.

Bytecode WITHOUT ProGuard & Enigma vs. WITH ProGuard & Enigma

In this case, of course the hacking job looks very easy because the developer (in this case me), forget to enable an essential tool which is ProGuard. ProGuard is a great tool natively integrated in Android Studio. To enable it, a simple line of code in the build.gradle file 🔧 :

Enable ProGuard / R8

By enabling ProGuard (or R8) you get a Bytecode harder to re️ad 🕵️‍♂️, but unfortunately the secret value is still readable:

Bytecode generated with ProGuard enabled

A way to protect sensitive data, is to encrypt it. For example you code will look like this:

The secret key is encrypted with AES algorithm

That is the job of Enigma plugin! Enigma will automatically at the compilation time, encrypt your strings, and inject fake secret keys into your code to attract hackers on the wrong way (honeypot).

Below an example of the generated Bytecode with Enigma Plugin activated:

Bytecode generated with ProGuard enabled & Enigma enabled

How implement it ?

To implement Enigma Plugin in your project follow the 3 steps 👨‍💻:

1- In the build.gradle project file, add the following lines:

Add Enigma Plugin to your project

2- In the build.gradle module file, add the following lines:

Define Enigma Plugin options

Options documentation: https://github.com/christopherney/Enigma

3- And finally, compile ⚙️ ! Nothing else to do !

Congrats 🎉 ! Your source code has strings encrypted 🔒!

How Enigma is working ?

Enigma is a Gradle Plugin. Each time that you compile your source code (debug or release), Enigma will execute his own Tasks upstream of classic compilation tasks. Enigma Tasks are the following:

Enigma pipeline

Below a example of source code that Enigma will encrypt automatically:

Sample source code

Next screenshot, the source code encrypted by Enigma during the compilation time. This part is fully transparent for you!
Warning: You should not modify your string values by yourself. The example below is just a sample of what does Enigma for you.

Source code obfuscated with Enigma (during compilation time, no developer action)

In the last screenshot, Enigma has encrypted all string values and encode it in bytes array (harder to parse). At the same time a fake string was injected: TDFXQMLZND.

Pro & Cons

Pro:
- Super easy to integrate
- Zero impact on source code for developers
- Your source code stay readable during development
- Makes sensitive data harder to retrieve via reverse engineering attack
- Inject fake data to attract hackers on the wrong way (honeypot)
- Can be enabled anytime during development lifecycle, even at the end 😜

Cons:
- Works only with JAVA (no Kotlin yet)
- Useless if ProGuard (or R8) not activated
- Can slowdown the app performance if there is too much data to decrypt

GitHub: https://github.com/christopherney/Enigma
Gradle Plugin: https://plugins.gradle.org/plugin/com.chrisney.enigma