9 min read · Feb 13, 2023
--
The other day, I was discussing how difficult it is to navigate Google API responses with a friend and we both agreed that they tend to overcomplicate things like putting an object inside another object and so on. Never knew this conversation will lead me to realize how much this extends to the field of software development — specifically, obfuscation.
Have you ever used a Google plugin and then looked at the code behind it, only to be met with a bunch of nonsense? Well, that nonsense has a name — obfuscation. But, don’t worry, it’s not as intimidating as it sounds. I’m here to break down this technical jargon and explain it in a simpler way.
Obfuscation can simply mean making a piece of code unclear or difficult to understand. This is necessary to protect intellectual secrets, and to prevent an attacker from reverse engineering the propriety code. Obfuscation is a well-known concept in software engineering, it is mostly done on purpose to avoid tampering by an external persona and conceal logic used in the software. An obfuscated code can be reversed back to a clearer and cleaner code.
Earlier, I mentioned Reverse Engineering — which is essentially taking something apart and figuring out what makes it tick, It’s like when you’re a kid and you dismantle your favorite toy to see what makes it move. In the tech world, reverse engineering is used to analyze software and hardware products to see what makes them tick. And, sometimes, this means breaking through the “secret sauce” that companies put in place to protect their tech from being copied.
Now let’s talk about how reverse engineering relates to obfuscation, imagine you’re at a fancy restaurant, and the chef won’t give you the recipe for their secret sauce. So, what do you do? You try to recreate it at home by tasting it, taking notes, and experimenting with different ingredients until you get it just right.
Reverse engineering in tech is a bit like that. Instead of secret sauce, you’re reverse engineering code, algorithms, and other technicalities to understand how they work and potentially replicate or improve upon them. How does that relate to obfuscation? In the same way, it’s difficult to re-create the recipe because you don’t have the secret sauce. It’s the same way it’s difficult to reverse engineer an obfuscated piece of code or software.
Let’s talk about the benefits of obfuscation, I will only highlight a few:
- Enhances Security: As I mentioned earlier, reverse engineers are always waiting to pounce on your code and reverse it once it is released. Obfuscation adds an extra layer of security making it more difficult for hackers and malicious individuals to reverse engineer the software and find vulnerabilities (a security flaw, glitch, or weakness found in software code that could be exploited by an attacker).
- Reduces File Size: Ever minified a code? Let’s take CSS or JS, for example, min.css or min.js code takes less size than the un-minified version. Obfuscation can also help to reduce the file size of the software in the same way. This can be especially useful for mobile apps or other software products that are designed to run on devices that are resource-constrained.
- Protects Intellectual Property: Obfuscation makes it difficult or others to understand the code and algorithms used in the software. This helps to protect intellectual property and prevent others from copying or stealing the software’s code.
- Facilitates Licensing: Obfuscation can also make it easier to implement software licensing. Since the code is unclear and complicated, you can easily encode your license, it becomes more difficult for them to bypass or break the licensing mechanisms.
- Increases Performance: Since the file size is reduced, the performance also increases. The software runs faster and more efficiently.
Let’s take a look at a few types of obfuscation and code samples in real life
There are several different types of obfuscation techniques used in software development:
Code Minification: This type of obfuscation involves removing unnecessary characters from the code, such as whitespaces and comments, to reduce its size. You mostly see this type of obfuscation in JavaScript or CSS plugins. This makes it more difficult for others to read and understand the code, while also reducing its file size. A real-world example of code minification in JavaScript can be when a developer wants to reduce the size of their code for faster load times on a web page. Example in JavaScript:
//Original Code
function addNumbers(a, b) {
var sum = a + b;
return sum;
}//Minified Code
function addNumbers(a,b){return a+b;}
Code Randomization: This type of obfuscation involves rearranging or randomizing the code so that it becomes more difficult to understand. This can include changing the names of variables and functions, rearranging the code structure, and introducing random elements into the code making it obscure. A real-world example can be building an online banking system that needs to be highly secured. To make it difficult for attackers, the developer can use this technique to change the order of the code each time it runs thereby making it difficult to identify the patterns or figure out how the code works. Example in JavaScript:
function addFee(amount, fee) {
return amount + fee;
}//Randomized Code
function wq(k, v) {
return k + v;
}
String Obfuscation: This type of obfuscation involves hiding or encrypting string literals in the code. This makes it more difficult for others to understand what the code is doing, especially if the strings contain sensitive information like passwords and API keys from being easily readable in the code. In a real-world scenario, let’s say you’re building a web application that requires users to log in with their credentials. Normally, you’d store the user’s password in plain text in the database, which is a major security risk. But with string obfuscation, you can encrypt the password before storing it in the database, making it much harder for potential hackers to steal sensitive information. Example in JavaScript:
let password = "secretPassword";// Encrypt the password using an obfuscation function
let obfuscatedPassword = obfuscateString(password);
function obfuscateString(str) {
// Code to scramble the string and make it harder to read
let obfuscated = "";
for (let i = 0; i < str.length; i++) {
obfuscated += String.fromCharCode(str.charCodeAt(i) + 1);
}
return obfuscated;
}
// Store the encrypted password in the database
storePasswordInDb(obfuscatedPassword);
function storePasswordInDb(password) {
// Code to store the password in the database
console.log("Storing password in database:", password);
}
Code Encryption: This type of obfuscation involves encrypting the entire code so that it becomes unreadable or obscure. The entire code is put through a process that makes it all jumbled up and unreadable to the human eye. But, don’t worry the computer can still understand it and execute it. Do you know those fancy paid software products that you buy from websites like Evanto or Codecanyon? Well, the developers behind them use Code Encryption to protect their precious code from being stolen and resold. They encrypt it and give you a license key after you purchase the product. So, the software can only be used by you and nobody else can mess with it. Example in JavaScript:
const crypto = require("crypto");const algorithm = "aes-256-cbc";
const password = "mysecretkey";
// Function to encrypt the code
function encrypt(text) {
const cipher = crypto.createCipher(algorithm, password);
let encrypted = cipher.update(text, "utf8", "hex");
encrypted += cipher.final("hex");
return encrypted;
}
// Function to decrypt the code
function decrypt(text) {
const decipher = crypto.createDecipher(algorithm, password);
let decrypted = decipher.update(text, "hex", "utf8");
decrypted += decipher.final("utf8");
return decrypted;
}
const code = `console.log("Hello, world!");`;
const encryptedCode = encrypt(code);
console.log("Encrypted code:", encryptedCode);
const decryptedCode = decrypt(encryptedCode);
console.log("Decrypted code:", decryptedCode);
In this example, the encrypt function takes the source code as input and returns the encrypted code, while the decrypt function takes the encrypted code and returns the original source code. The encryption and decryption process is performed using the aes-256-cbc algorithm with the mysecretkey password.
Obfuscation has a lot of different use cases in the tech industry. Let’s take an example of mobile apps built by developers, they want to keep their code from being reverse-engineered by someone else. This is mainly to stop applications from being cloned or creating modded versions. Let’s take WhatsApp for example, they’re different clones like GBWhatsApp, FMWhatsApp, etc. Obfuscating the mobile app code will make it more difficult for developers to recreate or redevelop a malicious modded version. This way, they can protect their ideas and keep their app successful for a long time.
Another important part that requires obfuscation is server-side scripting. A lot of tech companies use programming languages like PHP or JavaScript to build websites. But these languages can be vulnerable to security risks, and hackers could easily steal important information by figuring out how the code works. Obfuscation helps to keep the code safe and secure so that only authorized people can access it.
Big tech companies like Google, Amazon, and Facebook use obfuscation in different parts of their business too. For example, Google uses obfuscation to keep its APIs safe, so no one can copy its code or recreate it. Amazon uses obfuscation in its cloud computing platform, AWS, to make sure customer information is secure and safe from attackers. And Facebook uses obfuscation to protect sensitive information in their mobile apps.
In conclusion, obfuscation is very important in the tech industry because it gives an extra layer of security to software products. Whether it’s for mobile apps, websites, or cloud computing, obfuscation is a useful tool for tech companies to keep their products safe and prevent security breaches.
In as much as obfuscation is a great tool for protecting your code and ensuring its security, it comes with some challenges that need to be addressed. One of the biggest challenges is debugging and testing. When you obfuscate your code, it becomes very difficult for developers to understand how it works, which makes debugging and testing a real headache. This can result in a longer development cycle, missed deadlines, and frustration.
Another challenge with obfuscated code is that it can slow down the performance of your code. This is because obfuscated code is often larger and more complex than the original code, which can make it slower to execute. As we said earlier, an obfuscated code can reduce the size of the software in other cases, the size of the software becomes larger. Let’s say software uses “Code Encryption”, the size of the software can be fairly larger than the normal code. This can be a bit of a problem in mobile app development, where users expect a fast and responsive app.
In order to address these challenges, is to use a tool that allows developers to debug and test obfuscated code. These tools often provide developers with an easy way to understand the codebase, this is done by mapping between the obfuscated code and the original code.
Another way to address these challenges is to use obfuscation selectively. Instead of obfuscating all your code, you can choose to only obfuscate the most sensitive parts of your code. By doing this, you can still protect your code without sacrificing performance or making it too difficult to debug and test.
In conclusion, while obfuscation is a powerful tool for protecting your code, it does come with some challenges that need to be addressed. By addressing these issues and approaching obfuscation selectively one can minimize these challenges and build a successful product.
Just because you can use obfuscation to make code unclear or obscure doesn’t mean you should write sh*tty code and use “Obfuscation” to hide the mess you’ve made. Think about it, it’s like trying to cover up a pile of dirty laundry with newly washed laundry as a cove designer duvet cover. Sure, it might look nice on the surface, but as soon as you lift that cover, the mess is still there. That’s why it’s important to write clean, maintainable code from the get-go. Obfuscation should only be used as a supplement, not a substitute, for good coding practices. So, let’s all try to write code that’s easy to read, understand, and maintain, not code that’s difficult to understand.
To wrap up, obfuscation is a valuable tool for software developers or tech companies looking to protect their products and intellectual property. As we mentioned earlier, obfuscation should not be an excuse for sh*tty code and should only be used selectively as it is more difficult to maintain. In the end, writing clean and maintainable code is always the key to success. Don’t let obfuscation be the icing on your rotten cake, make it the cherry on top of your sweet, sweet code!
