Build38 logo


November 28, 2023

Securing Mobile Apps: The Vital Role of Code Obfuscation


Securing Mobile Apps: The Vital Role of Code Obfuscation

Mobile Application security has become a constant battle where developers struggle with the challenges of safeguarding sensitive data and intellectual property. At the forefront of this battle is the practice of code obfuscation, a process that renders applications resistant to decompilation, disassembly, and human comprehension. In this article, we will look into the depths of code obfuscation and its role within the broader context of Mobile Application security.


Understanding Code Obfuscation

At its essence, code obfuscation is a security measure that involves making applications challenging, if not impossible, to decompile or disassemble. This process extends beyond mere obfuscation of method names; it includes the injection of additional code, rendering the application codebase more intricate and perplexing for potential adversaries. The overarching goal is to limit the unauthorised access and manipulation of the code, protecting the intellectual property within the Mobile Apps.  Developers face the daunting task of fortifying their code at various layers to attain the level of protection required for securing sensitive data and proprietary information in Mobile Applications. Application shielding, of which code obfuscation is a crucial component, forms a comprehensive strategy to frustrate hackers in their attempt to reverse engineer or modify an application.


Decoding the Power of Code Obfuscation with Marc Obrador, CTO and co-founder of Build38 

Recently, Marc Obrador, CTO and co-founder of Build38, shed light on the critical role of obfuscation in Mobile App Security during his talk at Droidcon 2023 in Berlin. He emphasised that the practice goes beyond mere method renaming, incorporating the injection of complex code structures to make understanding the application logic an arduous task for potential intruders.  In the context of Mobile Applications, the need for obfuscation becomes more apparent. Once an App is uploaded to the Play Store, it becomes accessible to anyone, making it susceptible to reverse engineering. Therefore obfuscation becomes a crucial line of defence, preventing unauthorised access, replication of intellectual property, and the injection of malicious code that could compromise user security.


Code obfuscation techniques and their consequences

Marc Obrador’s discourse at Droidcon 2023 underscored the pivotal role of code obfuscation in fortifying app security. However, his insights delved beyond the advantages, delving into the nuanced consequences that this security measure carries.   One notable drawback Marc highlighted was the inevitable trade-off: the increased size and potential performance impact on applications employing code obfuscation techniques. This alteration in code structure can lead to larger file sizes, impacting both download times and the app’s overall performance.   Another critical concern Marc addressed was the intricacy introduced into troubleshooting during production. The divergence between the obfuscated code shipped with the app and its original source code creates complexities in diagnosing issues that may arise post-launch.


To navigate these challenges effectively, Build38 advocates for a nuanced approach.
They propose selectively applying obfuscation to only the most sensitive sections of an application. This strategic implementation aims to strike a harmonious balance between bolstering security measures and maintaining an optimal user experience.  By shedding light on these consequences and proposing a strategic approach, Marc’s insights provide a roadmap for developers to fortify their apps without compromising essential aspects of functionality and user satisfaction.

Marc Obrador


> Obfuscating the entire codebase could result in an application that is excessively large and slow, affecting the overall user experience_

Choosing the Right Programming Language
One intriguing aspect discussed by Marc in his talk at Droidcon, was how the choice of programming language influences the effectiveness of obfuscation. He provided examples in JavaScript, Java/Kotlin, C/C++, and Dart, emphasising that languages compiled to assembly code offer better protection due to the complexity introduced at the assembly level.  Marc touched upon the unique characteristics of Flutter, noting its current advantage in terms of code protection. However, he cautioned that this landscape could evolve as the tools and reverse engineering capabilities catch up with the framework’s popularity.


Build38 is committed to contributing to and maintaining an Open Obfuscator Project


These insights from Marc Obrador talk at Droidcon 2023 shed light on the complexities of code obfuscation and its role in protecting Mobile Applications. As the threat landscape evolves, developers must stay vigilant, leveraging obfuscation techniques judiciously to protect their intellectual property and ensure the security of their users’ data.   At Build38 we are committed to contributing with our Open Obfuscator Project which you can access directly here.   For more information about mobile application security contact us today!


Related posts

Discover the next generation 
of mobile app security