How can you prevent reverse engineering of mobile applications? (2024)

Key takeaways from this article

• Code obfuscation:

  Transforming your source code into a form that's hard to read can effectively deter reverse engineering. Tools that rename and encrypt elements of your code make it tough for others to decipher your app's logic.

• Server-side logic:

  Keep the most sensitive parts of your application on the server, not the client. This way, critical processes are out of reach for reverse engineering, ensuring only authorized users access them through secure APIs.

This summary is powered by AI and these experts

• Upendra Vadher AVP Business Operations | Service…
• Rajesh Parmar Techno-Biz Expert |+35 years PTR|…

• Upendra Vadher AVP Business Operations | Service Delivery Manager | PMO | Program Manager | Strategist | Consultant | Solutionist

  • Report contribution
  Obfuscation:ProGuard (Android): This tool renames your code's elements (classes, methods, variables) with cryptic names, making it harder to understand the code's logic.R8 (Android): Similar to ProGuard, often included in Android Gradle builds.DexGuard (Android): Offers anti-debugging and tamper detection.Encryption:Sensitive data: Encrypt critical app data like API keys, passwords, or user information, both at rest and in transit.Server-side logic:Offload key functionality: Move sensitive processes and algorithms to server-side execution, minimizing client-side code that needs protection.API authentication: Implement strong authentication and authorization mechanisms for server-side APIs accessed by the app.

  Like

  2

• Rajesh Parmar Techno-Biz Expert |+35 years PTR| FOUNDER/ CEO (few Ventures) A PROUD SANATANI 🚩| INVESTOR | BUSINESS CONSULTANT | ENTREPRENEUR| AN INFLUENCER| STRATEGIC ANALYSER

  • Report contribution
  This will increase the iteration of development cycle increasing the effort on code cleaning and high probability of bugs. Depending on the age of application, there may be more complexity towards backend integration.

  Like

  1

• Angelo Grossi

  • Report contribution
  Sophisticated Obfuscation: Cutting-edge strategies like "code polymorphism" and "control flow virtualization" can dramatically obscure an app's internals even when confronted with binary analysis.

  Like

  5

• Chetan Maini Senior Business Consultant and Team Manager at Dotsquares

  • Report contribution
  Preventing reverse engineering of mobile applications involves using code obfuscation techniques, such as renaming variables and functions, encrypting critical code segments, and employing anti-debugging measures. Additionally, incorporating runtime protections and regularly updating the app with security patches helps deter reverse engineering attempts.

  Like

  4

• Chandrakant Barik Cloud Specialist / Strategic Business Growth

  • Report contribution
  Code obfuscation is the technique of transforming your source code or binary code into a form that is difficult to read, understand, or modify by humans or machines. It can help protect your mobile applications from reverse engineering by hiding the structure, logic, and functionality of your code. There are different types of code obfuscation, such as renaming variables, methods, or classes, encrypting strings or resources, adding dead code or junk code, or changing the control flow or instruction order.

  Like

  4

• Beniwendel Honori Cyber Security | Pentest | AppSec | Mobile Security

  • Report contribution
  A criptografia de dados sensíveis é crucial na proteção de informações confidenciais armazenadas ou transmitidas por um aplicativo. Utiliza-se algoritmos de criptografia fortes e comprovados para transformar dados sensíveis em formatos ilegíveis sem a chave de descriptografia correspondente. Isso inclui a proteção de informações como credenciais de usuário, detalhes financeiros e dados pessoais. A criptografia assegura que, mesmo se os dados forem interceptados ou acessados por indivíduos não autorizados, eles permanecerão inacessíveis e ininteligíveis. É fundamental escolher algoritmos robustos e gerenciar as chaves de criptografia com rigorosa segurança.

  Translated

  Like

  3

• Bradley W. Co-Founder, CTO, Chief Risk Officer @ Everest | Certified Scrum Master

  • Report contribution
  Everything should be encrypted at rest and in flight, period, without exception. Using the secure storage mechanisms per OS can be a solid path, another path is to make your mobile application as "dumb" as possible and keep all of the "smarts" in the API, and don't store anything on the device's storage at all, only in the local memory, then cleanup the memory at app exit.

  Like

  1

  See Also

  Reverse engineering in AndroidReverse Engineering an apk using Jadx-GuiA Quick Guide to Reverse Engineering Malware MASTG-TOOL-0018: jadx - OWASP Mobile Application Security
• Zach Bublil Mobile Team Lead at Similarweb

  • Report contribution
  It's important to encrypt data but it only helps to secure it by analyzing the traffic.It's always possible to use dynamic tools in order to read the data right before it gets encrypted or even disables the encryption.It would be a little harder to do it compared to just read the data as plain text, but it's always important to remember that nothing on the client side is secured - and it always can be reversed.

  Like

  1

• Chrisma Andhika Software Engineer - Analyst

  (edited)

  • Report contribution
  Logging should also be taken cautiously by not leaving any information-sensitive printing in the code.This one is often overlooked after all security requirements are conformed.

  Like

  1

• Ricardo Albuquerque CTO | Innovation | IOT | Consulting | Software development | IA | Project Management| SCRUM | Digital Transformation| New Space | Trend

  • Report contribution
  Certainly, to prevent reverse engineering of mobile apps, employing robust encryption and secure storage is crucial. Strong encryption algorithms like AES are essential to protect data, making it indecipherable if intercepted. Effective key management is vital; avoid embedding keys in the app and consider server-based storage. Encrypt all sensitive information, including user credentials. Use SSL/TLS for secure data transmission. Leverage secure storage options like iOS's Keychain and Android's Keystore. Obfuscate encryption and decryption logic to enhance security. Regular updates to encryption methods are necessary to address evolving threats. These strategies collectively form a robust defense against reverse engineering.

  Like

  1

• Steeve Huin CxO | NED | Business Leader | Technology Leader | Growth | Cloud | Gaming | Media | Cybersecurity

  • Report contribution
  Sadly, games are attacked just like any other valuable targets. In the context of gaming it is usually for the purpose of gaining an unfair advantage (cheating), to get around paid for elements (piracy of the game, removing ads, getting in-app purchases for free, etc) or to make a new business out of it (farming in game currency, stealing accounts, etc).Protection games is critical to maximize it’s revenue potential - and for that you need to employ anti-tampering, anti-cheating and anti-botting technologies are bare minimum today. In addition you should also be monitoring the cheating & hacking scene to be aware of current exploits!

  Like

  5

• Amir Husain React Native | Android | IOS | node | javascript | Sql | React | Postgresql | Express

  • Report contribution
  SafetyNetfrom Google is a tool that helps developers by detecting if the app is running on a rooted device and checking if the user is trying to modify critical files created by your app to intercept critical information.Tamper DetectionThe most secure way to detect if your app has been altered is by making sure the signature used to sign the app is the same one used by you.

  Like
• 🎯Ashwin Jumani🗝️ Innovative IT Solutions for a Digital World | Empowering Businesses with Technology

  • Report contribution
  In bolstering mobile application security, implementing robust anti-tampering and anti-debugging measures is pivotal. Utilize techniques like code obfuscation to hinder reverse engineering attempts. Employ runtime integrity checks to detect and thwart tampering, ensuring the application functions as intended.Incorporate anti-debugging mechanisms to impede malicious analysis of the code during runtime. This can include code traps, debugger detection, and dynamic code modifications to confound debugging tools. Regularly update these measures to counter evolving tactics employed by attackers.

  Like
• Shoaib Ahmed Lead Front End Developer | React native | Typescript developer

  • Report contribution
  A comprehensive anti-tampering and anti-debugging implementation typically involves multiple sophisticated techniques, such as code obfuscation, integrity checks, runtime environment monitoring, and more, tailored to specific platforms and requirements. Additionally, circumventing these measures might still be possible for skilled attackers. For real-world applications, consulting security professionals and employing specialized libraries or tools is crucial to fortify against tampering and debugging.

  Like
• Simon Stirling Chief Software Architect / Chief Technology Officer / Senior Director Software Engineering

  • Report contribution
  Implementing anti-tampering and anti-debugging measures is indeed crucial for safeguarding mobile applications. In my 20+ years in software engineering, I've seen the dire consequences of ignoring these protections. However, it's important to balance security with performance and user experience. Over-zealous implementations can lead to slower app performance or false positives, frustrating legitimate users. Also, remember that no measure is foolproof. Skilled hackers can often circumvent these protections, so they should be part of a layered security approach, including regular updates and patches. Third-party solutions can be effective but evaluate their impact on your specific app architecture and user base.

  Like

• 🎯Ashwin Jumani🗝️ Innovative IT Solutions for a Digital World | Empowering Businesses with Technology

  • Report contribution
  To enhance security, minimize the attack surface of your mobile application by reducing unnecessary points of exposure. Trim down excess functionalities and permissions, granting only essential access. Disable unused services and features, limiting potential entry points for attackers. Regularly update and patch software to eliminate vulnerabilities. Employ the principle of least privilege, ensuring that each component has only the necessary permissions. By reducing the attack surface, developers can effectively mitigate risks and fortify the overall security posture of their mobile applications.

  Like

  3

• Rajesh Vishnani Project Manager | Certified ScrumMaster | Technical Project Manager | System Architect

  • Report contribution
  Detect whether the device is rooted (Android) or jailbroken (iOS), as these conditions often facilitate reverse engineering. If the device is rooted or jailbroken, the application can take appropriate action, such as restricting functionality or refusing to run.

  Like

  2

• Diptesh Mishra

  • Report contribution
  Considerate (minimal) use of external libraries (relying on the platform-specific features to the maximum extent possible) and using pre-scanned, tested, and pinned versions only further minimise the known attack surface.

  Like

  1

• Francis Ocholi Software Engineer | Backend Engineer | 2x AWS Certified | Customer Experience Innovative | Blockchain Innovative

  • Report contribution
  The attack surface is the set of points where an attacker can interact with your mobile application and potentially exploit a vulnerability. You should follow the principle of least privilege, which means granting the minimum level of access or authority that your mobile application needs to perform its tasks. Ensure you reduce unnecessary points of exposure. Also, ensure in your SDLC you test automatedly and manually for exploit attacks.

  Like

  1

• Bradley W. Co-Founder, CTO, Chief Risk Officer @ Everest | Certified Scrum Master

  • Report contribution
  The attack surface of a mobile application is partially the mobile app and partially the api that supports the app. Paying attention to pen testing the app and the api to ensure both are secure will make your attack surface smaller.

  Like

  1

• Nitin Bagde VP of Engineering @ Liquidnitro Games

  • Report contribution
  Always build enough instrumentations in your app to monitor how users are interacting with your app. IT can give a lot of insights into the how the app is working, how users are interacting with it and if there is any user that is trying to exploit your app. Also, you need to build enough instrumentations to know how the app is performing in terms of the response to http request or the Frame rate or the crash rates. This allows the devs to optimize the app.There are various tools like Firebase, Google Analytics etc to keep a track of the apps performances. you can also build your own Analytics service if you dont want your app data to be on other platforms.

  Like

  1

• Niko Rehnbäck Lead Engineer

  • Report contribution
  When you have limited resources for development and building security layers, understanding the gaps in your service and actively monitoring those gaps can save you just enough to get to the next level. Simple fraud blocking mechanism can be built on top of critical alerts. Remember that taking small steps is always better than taking no steps at all.

  Like

  1

• • Report contribution
  Regularly updating and monitoring your mobile app is crucial for security and performance. Implement comprehensive instrumentation to track user interactions, app functionality, and potential exploitations. Focus on monitoring aspects like response times, frame rates, and crash occurrences. This proactive approach not only enhances security but also provides valuable insights for optimizing the app based on real-world usage. Remember, staying ahead in maintenance and monitoring is key to a robust and reliable mobile application.

  Like

  1

• Hady Ashraf Junior .NET Back-End Developer

  • Report contribution
  To avoid security problems resulting from the occurrence of a run time error in the application, it is necessary to use a tool that helps the developer to always track such events to verify the nature of this error and the nature of the device on which it occurred. One such tracking tool is Firebase Crashlytics, it is a lightweight, real-time crash reporter that helps to track, prioritize, and fix stability issues that erode the app quality.

  Like
• • Report contribution
  it is very important to keep your application, always up-to-date and secure as security leaks especially in third-party libraries are a common problem. One way to tackle this is to reduce the number of dependencies when developing your application as every dependency brings a risk in terms of security.

  Like

• Jarosław Michalik I help mobile developers build better software | Founder @ AndroidPro.io | Google Developer Expert - Kotlin

  • Report contribution
  There is no bulletproof solution to avoid reverse engineering. All sensitive operations and core logic should reside on the server.

  Like

  18

• • Report contribution
  There is not any trick for complete avoidance of reverse engineering but we can protect somehow our app and do different tricks to make it harder though. - In Android Google has built in tools like ProGuard, it will obfuscate your code. This usually slows down reverse engineering significantly.- Use NDK, using C and C++ to put your application core and secure part of code in .so files.Ultimately you can't protect your application from being modified and any protection you put in there can be disabled/removed.

  Like

  7

• Kareem Abd Elsattar Senior IOS Engineer at Vezeeta || SwiftUI || Flutter || Software Engineer

  • Report contribution
  There are important steps that I take to secure iOS Apps: 1- Jailbreak checks to make sure this app is not running on a jailbroken device or can't be installed on it.2- Tamper Checks, Detecting if it is Hooked, Reverse Engineered, Debugged, and is Proxied.3- Secure Data, Save sensitive data in the keychain and encrypt it. 4- SSL Pinning adds an extra layer of security to the network.5- Minimizing Logs, Avoid Printing a lot of sensitive data like tokens, critical details, keys, and user data.

  Like

  5

• Eslam Muhammad Lead iOS Developer

  • Report contribution
  Securing your iOS app is crucial against sneaky attempts to manipulate it. Use these methods:- Smart Structure: Arrange your code intelligently, making it harder for others to mess with it, like organizing books in boxes.- Code's Bodyguard: Add extra protection layers, acting like tough guards over your app's secrets.- Private Conversations: Ensure your app talks in a secret language with servers, challenging eavesdroppers.- Jailbreak Alarm: Keep an eye out for jailbroken devices, a vital check when users open your app.- Health Check-ups: Keep your app healthy with regular updates.Applying these practices aligns with wisdom from experienced developers like Uncle Bob, making your app resilient against potential threats.

  Like

  4

• Ankit Kumar Gupta Engineering@GoDaddy

  • Report contribution
  We have to put Security at the center of our design and think about it in all aspects (cryptography for network transfers / stored data / content, identity / access management, code obfuscation).We should also be considerate where it is needed and at what depth. We can go to a depth of writing everything in c/c++ that would turn into machine code and cannot be reverse engineered. However each security measure has its own set of challenges, hence we should apply them wisely.

  Like

  3