{"id":440,"date":"2017-12-12T08:28:36","date_gmt":"2017-12-12T13:28:36","guid":{"rendered":"http:\/\/jebware.com\/blog\/?p=440"},"modified":"2017-12-13T10:20:57","modified_gmt":"2017-12-13T15:20:57","slug":"most-of-the-apps-on-my-phone-arent-obfuscated","status":"publish","type":"post","link":"https:\/\/jebware.com\/blog\/?p=440","title":{"rendered":"Most of the apps on my phone aren\u2019t obfuscated"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">I think it\u2019s important for any app that deals with sensitive user data to incorporate code obfuscation into their security. \u00a0While far from impenetrable, it\u2019s a useful layer in thwarting reverse-engineers from understanding your app and using that knowledge against you. \u00a0If you\u2019ve wondered why I seem to be on a code obfuscation kick recently, it\u2019s because I\u2019ve noticed, anecdotally, that a lot of apps I expected to be using obfuscation, weren\u2019t. \u00a0So I set out to see if I could do some research and turn that anecdote into data.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I took all of the apps I have on my phone right now, and calculated how well the code was obfuscated (see methodology notes at the end of the post if you\u2019re curious). \u00a0Here are the points that jumped out at me:<\/span><\/p>\n<p><a href=\"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2017\/12\/obfuscation-percentage.png\"><img loading=\"lazy\" class=\"aligncenter size-full wp-image-441\" src=\"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2017\/12\/obfuscation-percentage.png\" alt=\"\" width=\"643\" height=\"422\" \/><\/a><\/p>\n<ul>\n<li><b>Most of the apps on my phone aren\u2019t obfuscated.<span style=\"font-weight: 400;\"> 53% of apps fall in the 0-20% obfuscated bucket, which means they probably didn\u2019t have ProGuard turned on at all.<\/span><\/b><\/li>\n<li><strong>Most of the remaining apps are poorly-to-medium obfuscated.<\/strong><span style=\"font-weight: 400;\"> The next 35% of apps are 20-60% obfuscated, which means they probably put some effort into obfuscating the code, but weak configurations (<a href=\"https:\/\/jebware.com\/blog\/?p=418\">like overusing the -keep directive<\/a>) have kept much of their code un-obfuscated.<\/span><\/li>\n<li><strong>A small portion of apps are well obfuscated.<\/strong><span style=\"font-weight: 400;\"> Just 12% of apps are in the 60+% obfuscated range, where most of their code is very difficult to follow.<\/span><\/li>\n<\/ul>\n<p><b>Why would an app with ProGuard turned off have a score greater than 0?<\/b><span style=\"font-weight: 400;\"> A small part of that would be due to false positives (see the \u201cMethodology\u201d section, below) but most is due to third-party library code that has its internal implementation details obfuscated, before that code is even packaged into an app.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Methodology<\/span><\/h3>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\"><b>Corpus<\/b><span style=\"font-weight: 400;\"> &#8211; As alluded to in the post, I ran this analysis on the apps that I have installed on my personal phone. \u00a0This group of apps probably isn\u2019t a perfectly representative sample of apps on the app store. \u00a0It is, however, a representative sample of apps that I actually care about \ud83d\ude42<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Tools<\/b><span style=\"font-weight: 400;\"> &#8211; to calculate the \u201c% obfuscated\u201d metric, I used the `apkanalyzer` tool included in the Android SDK. \u00a0Looking through the classes, methods, and fields, I counted the number that appear to have been obfuscated (see next point), and added them all up for a ratio.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Metric<span style=\"font-weight: 400;\"> &#8211; deciding whether something has been obfuscated isn\u2019t straightforward; different obfuscation methods will yield different results. \u00a0But I know ProGuard is a common tool for Android obfuscation, and it prefers to transform names to single-character names, so I checked for single-character names. \u00a0This has the potential for false positives (e.g. x, y, z in a graphics data class would register as obfuscated even though those are probably the original names) and false negatives (any other obfuscation method might choose different names which aren\u2019t single-character, which this analysis would miss).<\/span><\/b><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I think it\u2019s important for any app that deals with sensitive user data to incorporate code obfuscation into their security. \u00a0While far from impenetrable, it\u2019s a useful layer in thwarting reverse-engineers from understanding your app and using that knowledge against you. \u00a0If you\u2019ve wondered why I seem to be on a code obfuscation kick recently, &hellip; <a href=\"https:\/\/jebware.com\/blog\/?p=440\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Most of the apps on my phone aren\u2019t obfuscated&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":441,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"twitterCardType":"summary_large_image","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":""},"categories":[4,16],"tags":[],"_links":{"self":[{"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/440"}],"collection":[{"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=440"}],"version-history":[{"count":6,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/440\/revisions"}],"predecessor-version":[{"id":447,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/440\/revisions\/447"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/media\/441"}],"wp:attachment":[{"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}