Hi,
this is going to be a bit of a rant.
I've never bothered with obfuscating the apps i've written in B4A for three reasons
1) Given the constraints in what is obfuscated, it's not really effective
2) The most it does is giving me headaches when analyzing stack traces because deobfuscation is "manual"
3) It's not that useful in the end, because this being java we still have access to the source code and this kind of security through obscurity only stops the laziest people
I will add a fourth
4) Almost all our apps interface to our hardware and anything even remotely secure does not happen on the phone, obviously, so it doesn't really matter if you have access to the api.. It's not hard to figure out the protocol anyway the moment you have the hardware
As it happens one "forum expert" on a forum related to our product's end market got informed by a friend of the existance of our app so he took his midschool grade hacking expertise to get a hold of the APK and posted a screenshot of the decompiler, saying something on the line of "i don't know anything about this product and what is supposed to be doing and how it is supposed to work but i'm going to point the finger and say ha ha because these guys don't even obfuscate the app so i can grab all the secrets. don't trust these guys" (the haha part was added by me, the rest is almost verbatim)
and of course the customer got scared because of the mister knowitall and even though i managed to reassure the customer and explain why we do things the way we do. I even demonstrated how useful obfuscation is by downloading a competitor's app apk (my midschool grade hacking skills were shining yesterday), that was written in native code and was completely obfuscated but it still took me about 20 minutes to find the classes i was looking for
and i figure a couple of days of work to reverse engineer the whole thing but alas, customer has started arguing for obfuscation again.
I already tested obfuscation provided by B4A but it not nearly as useful as i hoped it could be. I figure the obfuscation happens at the "basic" level, and not on the generated java, correct?
I see that depends on how i have written the code, but before going to a major rewrite (which i would prefer not to) i wanted to know if it's possible to obfuscate the APK afterwards, or use somehow the same tools we would use if we were using android studio. That would probably also have the benefit to obtain the gradle file to add to the upload of the apk so we receive the deobfuscated stack traces as well
this is going to be a bit of a rant.
I've never bothered with obfuscating the apps i've written in B4A for three reasons
1) Given the constraints in what is obfuscated, it's not really effective
2) The most it does is giving me headaches when analyzing stack traces because deobfuscation is "manual"
3) It's not that useful in the end, because this being java we still have access to the source code and this kind of security through obscurity only stops the laziest people
I will add a fourth
4) Almost all our apps interface to our hardware and anything even remotely secure does not happen on the phone, obviously, so it doesn't really matter if you have access to the api.. It's not hard to figure out the protocol anyway the moment you have the hardware
As it happens one "forum expert" on a forum related to our product's end market got informed by a friend of the existance of our app so he took his midschool grade hacking expertise to get a hold of the APK and posted a screenshot of the decompiler, saying something on the line of "i don't know anything about this product and what is supposed to be doing and how it is supposed to work but i'm going to point the finger and say ha ha because these guys don't even obfuscate the app so i can grab all the secrets. don't trust these guys" (the haha part was added by me, the rest is almost verbatim)
and of course the customer got scared because of the mister knowitall and even though i managed to reassure the customer and explain why we do things the way we do. I even demonstrated how useful obfuscation is by downloading a competitor's app apk (my midschool grade hacking skills were shining yesterday), that was written in native code and was completely obfuscated but it still took me about 20 minutes to find the classes i was looking for
and i figure a couple of days of work to reverse engineer the whole thing but alas, customer has started arguing for obfuscation again.I already tested obfuscation provided by B4A but it not nearly as useful as i hoped it could be. I figure the obfuscation happens at the "basic" level, and not on the generated java, correct?
I see that depends on how i have written the code, but before going to a major rewrite (which i would prefer not to) i wanted to know if it's possible to obfuscate the APK afterwards, or use somehow the same tools we would use if we were using android studio. That would probably also have the benefit to obtain the gradle file to add to the upload of the apk so we receive the deobfuscated stack traces as well
