Choosing the Right Level of Code Obfuscation – Advantages and Disadvantages (2024)

Table of Contents
Learn more What does the demise of bitcode mean for the future of application security? An introduction to app code obfuscation Related Get the inside scoop, app security news and more from Promon FAQs
Choosing the Right Level of Code Obfuscation – Advantages and Disadvantages (1)

Code obfuscation

By Andrew WhaleyPosted on June 13, 2023 11:21 am

This article explores the different approaches to code obfuscation, their advantages and disadvantages.

Code obfuscation is a powerful tool for protecting apps from reverse engineering and manipulation. It’s a critical component of almost all app security and copy protection tools. Without obfuscation, the application or security code is transparent, easily understood, and therefore relatively easily modified. But there are several different approaches to code obfuscation, and each comes with inherent advantages or disadvantages.

Let’s look at how a typical compiler operates and therefore what opportunities are provided for obfuscating code:

Choosing the Right Level of Code Obfuscation – Advantages and Disadvantages (2)

The above diagram shows that a typical compiler (e.g. Clang) consists of a ‘frontend’ which parses the source code, compiles it into an ‘intermediate’ level, and a ‘backend’ which optimizes and produces the final machine code in an executable format (‘binary’) suitable for the machine to run.

This provides three places where obfuscation could be done:

  1. Source level: i.e. changing the source code before it is compiled by the frontend.
  2. Intermediate level, i.e. manipulating the intermediate representation before the backend uses it to create the binary.
  3. Binary level, i.e. modifying the binary directly after compilation and before it is distributed.

Most application protection products choose to do this at the intermediate level, and for good reasons:

  1. Intermediate is nearly always Low Level Virtual Machine (LLVM) which is open source and comes with a rich set of libraries allowing an easy level of entry into writing your obfuscator.
  2. Both Android and iOS use the LLVM-based Clang compiler allowing the two most popular OS platforms to be targeted with the same code base.

Very few vendors offer source-level obfuscators for compiled languages, because it’s much easier to operate at the LLVM level, and maintaining 100% compatibility with languages like C++ is a lot of work. A further disadvantage with this approach is that you’re very tied to that source language – so Swift comes along and suddenly your product is obsolete and can’t be quickly rewritten.

Source-level obfuscators are popular, though, for script languages like Javascript, since there’s no other option. In this case, obfuscation is even more important since the source code itself is distributed and not a compiled binary.

Finally, we come on to binary level obfuscators which are quite a rarity because they are hard to create and typically must cater to multiple machine code instruction sets e.g. ARM64, Intel X86_64, Arm V7 (32 bit), etc. They also must be able to accurately read and rewrite the various binary formats supported e.g. ELF on Android and Mach-O on iOS/MacOS. There are many complexities in this process that somebody using LLVM simply does not have to worry about.

See Also
What is obfuscation and how does it work?What is Data Obfuscation? Definition and TechniquesHow (and Why) to Obfuscate Source CodeMalware Obfuscation: Techniques, Definition & Detection - ExtraHop | ExtraHop

However, binary level obfuscators offer some tremendous benefits:

  • They are not tied to the toolchain and so, in theory, can protect binaries from any compiler e.g. Swift, C/C++, Rust, Golang, Dart, Xamarin, Unity etc.
  • They are also not dependent on any development tools and therefore protection can be run entirely independently of the development process e.g. by an IT Security function rather than developers.
  • Because they are dealing with actual machine code instructions, they can achieve finer-grained obfuscation than is possible at the intermediate level and certainly way beyond what is possible at the source level.

This table summarises the relative advantages and disadvantages:

Choosing the Right Level of Code Obfuscation – Advantages and Disadvantages (3)

As a user, I would look for a binary-level obfuscator as it is the most versatile and has many benefits, whereas as a tool vendor, I would choose intermediate as it is the easiest to develop and maintain.

The biggest risk with an intermediate-level obfuscator is that your target tool vendor decides to drop support for LLVM as we’ve recently seen with Apple and Xcode. It will be interesting to see how those vendors deal with that.

Learn more

Choosing the Right Level of Code Obfuscation – Advantages and Disadvantages (4)

What does the demise of bitcode mean for the future of application security?

Read the article

Choosing the Right Level of Code Obfuscation – Advantages and Disadvantages (5)

An introduction to app code obfuscation

Download the guide

See Also
The Importance of Code Obfuscation for .NET and Android Applications – PreEmptive

Related

All news
Code obfuscationIntroducing Promon IP Protection Pro™: Advanced code obfuscation for Android and iOS apps
Code obfuscationHow iOS obfuscation enhances app security
Code obfuscationIntroducing Promon Jigsaw: The next-gen code obfuscation engine for unparalleled Android and iOS security
App shieldingHow app shielding helps you manage BSI compliance

Get the inside scoop, app security news and more from Promon

Sign up to our newsletter

Promon
  • Solutions
  • Careers
  • About us
  • Resources
  • Privacy policy

Book a demo

Choosing the Right Level of Code Obfuscation – Advantages and Disadvantages (2024)

FAQs

What is the best obfuscation method? ›

Encryption is a good obfuscation method if you need to store or transfer sensitive data securely. Tokenization substitutes sensitive data with a value that is meaningless. This process can't be reversed. However, you can map the token back to the original data.

Read On
Why is code obfuscation important? ›

The idea is to prevent an attacker from under- standing the inner workings of a program by making the obfuscated program “too difficult” to understand—that is, by making the task of reverse engineering the program “too expensive” in terms of the resources or time required to do so.

Discover More Details
What are the pros and cons of obfuscation? ›

The benefits of code obfuscation are numerous:
  • It defends open-source code information and data.
  • It can eliminate debugging loopholes.
  • It slows down hackers trying to re-engineer programs and applications.
  • It helps protect intellectual property.

Continue Reading
What are the drawbacks of obfuscation? ›

Disadvantages of obfuscation

It adds time and complexity to the build process for the developers. It can make debugging issues after the software has been obfuscated extremely difficult. Once code is no longer maintained, hobbyists may want to maintain the program, add mods, or understand it better.

See Details
What are the three most common techniques used to obfuscate data? ›

The most common data obfuscation techniques are: Data encryption. Data tokenization. Data masking.

Find Out More
What is the obfuscation rule? ›

Obfuscation rule actions define what attributes to look at, what text to obfuscate, and how to obfuscate (either by masking or hashing). Obfuscation expressions are named regular expressions identifying what text to obfuscate. Masking completely removes information, replacing it with X characters.

Tell Me More
How effective is obfuscation? ›

Good obfuscation will protect you up to a point, but it's all about the amount of effort required to break it against the 'reward' of having the code. If you are talking about stopping your average business user, then a commercial obfuscator should be sufficient.

Show Me More
Is obfuscation better than encryption? ›

Regarding security levels, encryption is generally considered stronger than obfuscation. Encryption uses cryptographic solid algorithms and keys, making it highly resistant to brute-force attacks and unauthorized access.

Explore More
What is better security through obfuscation? ›

In security engineering, security through obscurity is the practice of concealing the details or mechanisms of a system to enhance its security. This approach relies on the principle of hiding something in plain sight, akin to a magician's sleight of hand or the use of camouflage.

Continue Reading
What are the disadvantages of data obfuscation? ›

It also helps in the minimization of security risks. The cons of data obfuscation are it is a complex process and needs much more resources and effort. Encryption through obfuscation is slow and computationally intensive. These properties make it unattractive in real-time applications.

Show Me More

Can obfuscated code be decompiled? ›

The results show that it is possible to reverse engineer obfuscated code but some parts. Obfuscation does protect the code, as all the variable names are changed and every unused method are removed, as well as some methods changed to non-con- ventional ways to program.

Read The Full Story
What are three tools that can be used in the data obfuscation process? ›

Data masking, encryption, and tokenization are three common data obfuscation techniques. Each type has strengths in protecting against destructive malware. Familiarizing yourself with data obfuscation techniques will help you protect your sensitive data—and educate you in case obfuscation is used against you.

See Details
Why do we need code obfuscation? ›

Obfuscation means to make something difficult to understand. Programming code is often obfuscated to protect intellectual property or trade secrets, and to prevent an attacker from reverse engineering a proprietary software program.

Get More Info Here
Can code obfuscation reversed? ›

Depending on the part of code obfuscated, and the complexity of algorithms obfuscated, it may involve a good percentage to deobfuscate the code as well. Most of the automated deobfuscators can reverse-engineer an obfuscated application.

Continue Reading
What is the impact of obfuscation in data hiding? ›

The goal of data obfuscation is to make it impossible for unauthorized users to attribute the data, reducing the risk of unauthorized access or misuse. It can take various forms, such as encryption, tokenization, data masking, and data scrambling. We'll dive into these in more detail later on.

View More
What are the methods of data obfuscation? ›

Data obfuscation is a method of hiding data by transforming it into a form that is difficult to understand or interpret while still keeping its fundamental characteristics. This prevents unauthorized users from being able to access certain information while still maintaining its utility.

View Details
What is obfuscation methods? ›

Obfuscation means to make something difficult to understand. Programming code is often obfuscated to protect intellectual property or trade secrets, and to prevent an attacker from reverse engineering a proprietary software program. Encrypting some or all of a program's code is one obfuscation method.

See More
Top Articles
How to Start Your Hobby Farm
Doran, G.T. (1981) There’s a SMART Way to Write Management’s Goals and Objectives. Journal of Management Review, 70, 35-36. - References
Po Box 7250 Sioux Falls Sd
The Largest Banks - ​​How to Transfer Money With Only Card Number and CVV (2024)
Uca Cheerleading Nationals 2023
Brady Hughes Justified
Occupational therapist
Jesus Calling December 1 2022
Activities and Experiments to Explore Photosynthesis in the Classroom - Project Learning Tree
Pickswise the Free Sports Handicapping Service 2023
Jcpenney At Home Associate Kiosk
Top Hat Trailer Wiring Diagram
Goldsboro Daily News Obituaries
Craigslist Jobs Phoenix
New Mexico Craigslist Cars And Trucks - By Owner
Thotsbook Com
Sivir Urf Runes
Teenleaks Discord
Unit 33 Quiz Listening Comprehension
Inside the life of 17-year-old Charli D'Amelio, the most popular TikTok star in the world who now has her own TV show and clothing line
Lowes Undermount Kitchen Sinks
Scout Shop Massapequa
Busted Mcpherson Newspaper
Employee Health Upmc
Www.paystubportal.com/7-11 Login
Elbert County Swap Shop
Shoe Station Store Locator
What Sells at Flea Markets: 20 Profitable Items
Unity Webgl Car Tag
Keshi with Mac Ayres and Starfall (Rescheduled from 11/1/2024) (POSTPONED) Tickets Thu, Nov 1, 2029 8:00 pm at Pechanga Arena - San Diego in San Diego, CA
Restored Republic
Club Keno Drawings
Que Si Que Si Que No Que No Lyrics
47 Orchid Varieties: Different Types of Orchids (With Pictures)
Bus Dublin : guide complet, tarifs et infos pratiques en 2024 !
Gwu Apps
Craigslist Georgia Homes For Sale By Owner
Myanswers Com Abc Resources
Pokemon Reborn Locations
Wo ein Pfand ist, ist auch Einweg
3 Zodiac Signs Whose Wishes Come True After The Pisces Moon On September 16
Mbfs Com Login
Here's Everything You Need to Know About Baby Ariel
Csgold Uva
RubberDucks Front Office
This Doctor Was Vilified After Contracting Ebola. Now He Sees History Repeating Itself With Coronavirus
Ups Customer Center Locations
Barback Salary in 2024: Comprehensive Guide | OysterLink
Inside the Bestselling Medical Mystery 'Hidden Valley Road'
Craigslist Farm And Garden Missoula
Wayward Carbuncle Location
Latest Posts
Access computer after administrator account is disabled - Windows Client
Best Homeowners Insurance in Florida (2024) | LendingTree
Article information

Author: Dan Stracke

Last Updated:

Views: 6317

Rating: 4.2 / 5 (43 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Dan Stracke

Birthday: 1992-08-25

Address: 2253 Brown Springs, East Alla, OH 38634-0309

Phone: +398735162064

Job: Investor Government Associate

Hobby: Shopping, LARPing, Scrapbooking, Surfing, Slacklining, Dance, Glassblowing

Introduction: My name is Dan Stracke, I am a homely, gleaming, glamorous, inquisitive, homely, gorgeous, light person who loves writing and wants to share my knowledge and understanding with you.