Introduction

The hazards of hacking and its corresponding disasters have become so precarious that the developers and organizations take utmost care to lessen their occurrence and the impact. Code obfuscation is one such strategic move that, when performed, keeps administered codes away from the reach of bad actors.

The post throws light on code obfuscation’s nitty-gritty and key procedures used to bring into action.

What is code obfuscation?

A hacking preventive stratagem, code obfuscation comprises remodeling certain attributes of at-work codes with a motive to make it inaccessible for tracking, interpretation, and useful for cybercriminals while it rests viable for the developers.

The modification can be done on metadata/instructions without hampering the final output that the targeted code brings for the application development.

Adopting this approach enables developers to make the application/program robust against hacking attempts. This procedure works remarkably on all the available code types.

How does obfuscation work?

Obfuscation takes the help of multipart and thwarted logic to make the code infrastructure intense. The higher code complexity necessitates much work from the reader’s side. Here, the reader could be a device, personal, or application. 

To accomplish the obfuscation for programming languages like Java, OS like Android and iOS, and .NET development platform, decompilers are offered. Decompilers are used for original code reverse engineering. 

For example, we used obfuscator.io to convert this simple code into obfuscated one:

On clicking Obfuscate, the code became:

To confirm the correctness of this code, you can also Evaluate the code output using this tool.

Obfuscation tools also allow downloading the changed code files so that you could use them.

For manually following this process, developers use various methods. You can read about them in the next section so that you could also try the same.

Code obfuscation techniques

Depending upon the needs, obfuscation can be either applied at the lexical/semantic code structure or during the control flow. The multifariousness of techniques occurs as per the changes it brings to administered code, upon application. Some of the key code obfuscation techniques that developers can use are quoted below. 

• String Encryption

Strings are the part of a well-managed executed code and can be spotted easily. It’s so immediately available to read and hack that renaming variables and methods won’t bring much value as strings can still provide string references for vital codes. To make sure strings are not targeted by hackers, string encryption is used. Adding encryption layers allows a string to cover the targeted code and reveal the details only when it’s needed.

Example: 

There are multiple tools like Code Beautify that lets you select the encryption algorithm, mode, and use a key to encrypt your strings. Here is a demo:

These tools also allow you to decrypt your strings when needed. When you use the same key, algorithm and modes, the output will be the same.

In your code, you can use the encrypted strings and enable the decryption algorithm whenever there is a need for showing the output to your users or verify/testing the code. 

• Rename Obfuscation

As clear from its name, this method entails revising the names assigned to variables or methods to confuse the hackers. While doing so, renaming obfuscation doesn’t influence the program functionality. This means, your changeable names must be made unrecognizable only no other change should be made in the code.

Depending upon the developer’s preference, the new naming scheme could feature characters, readable or unreadable, and numbers. This is one of the most primary code obfuscation methods for Java, Android, .NET, and iOS.

Let us give you an example.

Code before its Obfuscation

public static int strComparison(String string_to_compare1, String string_to_compare2)
    {  
      for (int i = 0; i < (Math.min(string_to_compare1.length(), string_to_compare2.length())); i++) {
            if (((int)string_to_compare1.charAt(i)) != ((int)string_to_compare2.charAt(i))) {
                return ((int)string_to_compare1.charAt(i)) - ((int)string_to_compare2.charAt(i));
            }
        }
        if (Math.min(string_to_compare1.length() != Math.min(string_to_compare2.length()) {
            return (Math.min(string_to_compare1.length()) - (Math.min(string_to_compare2.length());
        }  
        else {
            return 0;
        }
    }

Code after its Obfuscation

public static int compareStr (String s1, String s2)
    {  
        int l1 = s1.length();
        int l2 = s2.length();
        int min_len = Math.min(l1, l2);  
        for (int i = 0; i < min_len; i++) {
            int s1_ch = (int)s1.charAt(i);
            int s2_ch = (int)s2.charAt(i);  
            if (s1_ch != s2_ch) {
                return s1_ch - s2_ch;
            }
        }  
        if (l1 != l2) {
            return l1 - l2;
        }  
        else {
            return 0;
        }
    }

• Dummy code insertion

It suggests the introduction of dummy code in the original code. This dummy code has no influence on the program’s logic but makes reverse engineering a tough task.

• Removal of Metadata or unused/non-crucial code

The presence of unwanted/useless metadata or code is a golden opportunity for hackers. So, using this method, the entire non-crucial information, whether code or output or comments, are removed. This method improves application performance.

• Instruction pattern transformation

It requires altering the basic compiler-created instructions. The techniques only use legally generated instructions that higher-level language like C# or Java can’t map out elaborately.

• Opaque predicate insertion

This insertion technique needs you to add intentionally-incorrect code to primary code with a motive to puzzle the attacker. This code remains dormant.

• Address Obfuscation

It involves randomizing the virtual address of code and data of the program every time an obfuscated code is functional. It reduces the impact of memory-error attacks and makes them ineffective.

• Debug Obfuscation

If an attacker obtains the debugging information of a code then crucial related information and deployed obfuscation strategy implemented will be revealed. Debug method requires removing or masking redundant debug details from the code.

• Control Flow Obfuscation

This process involves hiding the control flow adoption from the hackers. To achieve this goal, the technique uses procedures like introducing the dead code that won’t meet the conditional logic ever.

• Code transposition

Code transposition is a technique involving shifting all the global functions and statements to a unified statement.

• Anti-Debug

You may add your confiscated code to the application layer of your program to figure out whether or not the application is functional in a debugger. It makes early detection of the presence of a debugger possible and prevents unforeseen damages such as crucial data corruption, unwanted custom actions, and random warning signals. 

• Anti-Tamper

If a hacker can recognize the tampering then s/he will be able to obstruct the functionality of the solution, execute arbitrary application crashes and actions, and shut down it anytime. The anti-tamper technique involves making the code foolproof, specially against tampering.

How to Determine if the obfuscation was Successful?

Once the hacking, tempering or editing jobs on code doesn’t succeed, code obfuscation technique implementation is done. Ensuring its successful functionality is crucial as then only your programming data and related application will be protected properly. 

The success of this prevention technique depends on assorted elements as explained below:

• The Resilience

All the efforts, invested towards the code obfuscation technique, will only reap benefits when your obfuscated or jumbled code can withstand intruders and all their de-obfuscation attempts. If it doesn’t break after all of this then congratulations as your code is strong and will keep hacking at bay.

• The Differentiation

With code differentiation, we refer to the differences between the actual code and the altered code. If the differences are at nesting, control flow, and inheritance level then it’s very tough for the hacker to decode the code.

• Ability to go unnoticed

While the new code that you’ve obfuscated should be different from the original code at various levels, it should remain similar to previous one, in order to confuse the threat actor. If that happens then it would be very hard for an attacker to fetch the actual code by using methods like reverse engineering. It means, your application’s code is now safe.

• The Effective Utilization of Resources and Cost-effectiveness

The invested resources shouldn’t be exceedingly high while you are involving obfuscation in your development cycle, because doing so will only double-up the operational burden. An intelligent decision for this will be to use methods that can be deployed quickly and work within available means.

Obfuscation Advantages and disadvantages

Adopting obfuscation can be beneficial in multiple manners for developers and end-users:

• It grants a sense of security in today’s highly insured ecosystem.
• If a hacker is planning an attack then code obfuscation will delay it for a while. 
• Open-source applications can become safer than before.
• During the process, useless metadata and useless codes are removed leaving the source code more optimized. Such optimized codes are easy and faster to execute.
• Adherence to compliances is improved.

However, not everything about this technique is so promising and worthy. There are certain demerits as well. 

• Technique application will reduce the efficacy of the code. Even though it’s very minimal, it’s there.
• Some of the high-end automated de-obfuscators can decrypt your code and reduces process’s impact.
• 100% protection, in the case of reverse engineering, is not obtained. 

Effect of Code Obfuscation on Application’s or Code’s Performance

One can’t expect zero impact on the original code world when certain alterations are done. The impact intensity depends on the technique you are using for obfuscation. 

For instance, if you are renaming only, you can expect the least possible performance as it involves only methods, classes, variables, and similar data.

However, its impact on control-flow is considerable as it forces code to pass through different loops. Also, if multiple methods or iterations of obfuscation are put into action, code performance will reduce largely.

How to obfuscate C, C#, and C++

C, C#, and C++ are the most commonly used programming languages and it’s easier to obfuscate the programs written in all these languages.

In the case of C-based code, obfuscation can be done by compiling the code and binary distribution. 

C and C++-based code can also be obfuscated using aids like Another Tool for Language Recognition (ANTRL). It is a high-end parser generator that accepts the C/C++ codes as input, seizes their hierarchy, and transmutes them as AST. This serves as a fundamental factor for obfuscating the technique’s algorithm. 

As compared to C/C++, codes generated using the C# are effortless when thinking from the obfuscation perspective. The reason begin is the presence of metadata, which is absent in the other two options. Also, the presence of intermediate language in C# makes original code decompiling easier than ever. 

Crypto Obfuscator is the most commonly used tool for obfuscation on C#. Automatically, safety measures like symbol renaming, string encryption, call hiding, and control flow modification, are applied. 

Obfuscating an API

As an API is a crucial part in a digital solution, obfuscating an API is a crucial API security strategy. It is accomplished in the manner, making changes in the methods, class, field, and identifiers. When done strategically, API obfuscation promotes secure application development.