Code Obfuscation As A Method Of Software Protection

Nowadays, cyber attackers are armed with an impressive range of weapons, from simple malware to sophisticated reverse engineering tools. Disassemblers, decompilers and other tools allow hackers to access and analyze application source code. With this information, hackers can abuse your software in various ways: by extracting sensitive information, adding malicious code and even cloning your applications.

A recent study by the security company Positive Technologies revealed that popular mobile banking applications are susceptible to hacking attacks. The most common cybersecurity issues identified had to do with the names of classes and methods being explicitly written in source code, a lack of protection against code injection and a lack of code obfuscation.

How does code obfuscation work?

Code obfuscation in particular is a promising practice for securing software. If you’re looking for ways to protect your software from intrusions, you may want to begin by hardening its defenses through obfuscating the code.

Obfuscation methods allow you to harden application code by transforming it to hide implicit values and conceal logic. These measures make it harder for an unauthorized third party to look under the hood of your software.

Most obfuscation techniques transform one of the following aspects of code:

* Data: Make code elements look like something other than what they are

* Control flow: Make executable logic nondeterministic if the software is decompiled

* Layout structure: Format data, rename identifiers and remove code comments

Obfuscation tools work with source code, machine or binary code, and bytecode. To determine which type of code is best to obfuscate, you need to keep in mind the limitations of each choice.

When obfuscating source code, you may face challenges in handling and debugging the obfuscated code. Binary obfuscation is not only more complicated than the other two options but needs to be applied to each system architecture.

At my company, we often choose bytecode obfuscation, as in this case we don’t have to handle source code or machine code. However, when we get to transforming bytecode into machine code, it’s hard to keep all obfuscated code injections completely random.

How can you protect your app with code obfuscation?

For one of our recent projects, my team used the LLVM compiler, which helped us ensure a high level of bytecode protection with little impact on software performance. In addition to hardening code, this compiler can randomly place software license verifiers that make it nearly impossible for hackers to crack software.

While obfuscation is one of the secure coding practices recommended by OWASP, it still isn’t that popular among many developers. The main reason for this is that when overused, code obfuscation can harm software performance.

But if we’re talking about, say, a mobile banking app, the importance of securing a user’s bank account data is high enough to justify spending additional time and effort on balanced code hardening.

If you want to obfuscate code in the most effective way, here are some things to consider:

* Before obfuscating your code, you should decide which parts of your code can be obfuscated. Avoid obfuscating performance-critical code. Also, make sure obfuscation doesn’t affect software functionality in any way.

* Pay attention to the size and performance of the obfuscated code. When hardening a large piece of code, the execution time may increase up to 1,000 times.

* Add opaque predicates to the obfuscated code to make it impossible to understand where the code execution will go. Make the control flow graph look like a state machine execution rather than linear code execution.

* To create a layered defense, combine several transformation techniques. The more obfuscation techniques you use, the better your code will be protected.

* Use code obfuscation only as an additional layer of security, as it can’t substitute other security practices.

When properly implemented, code obfuscation is an effective solution for protecting your software against unauthorized analysis. It isn’t a silver bullet, but it will significantly complicate attempts to exploit and compromise your software.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dennis Turpitka

Dennis Turpitka

I am the founder and CEO of Apriorit (, an R&D company that provides software engineering services globally to tech companies for over 19 years