How does obfuscation in CN1 work?
97 views
Skip to first unread message
jesl...@gmail.com
Aug 6, 2015, 4:33:34 AM8/6/15
to CodenameOne Discussions
Hi
Do you provide obfuscation to all the platforms you support? Also which obfuscation software do you use to obfuscate the apps (eg. Dexguard or Proguard etc).
Thanks,
Jessi
Do you provide obfuscation to all the platforms you support? Also which obfuscation software do you use to obfuscate the apps (eg. Dexguard or Proguard etc).
Thanks,
Jessi
Shai Almog
Aug 6, 2015, 10:28:52 AM8/6/15
to CodenameOne Discussions, jesl...@gmail.com
Hi,
we use proguard on Android/RIM etc. but not on the desktop builds currently (although we should).
Dexguard is something that we'd like to have but the licensing there is problematic for our structure. Per seat doesn't make sense and their base offer for us is pretty steep, if we have serious demand from large enterprise accounts it might be worth the expense.
For iOS this is unnecessary since the code is translated to native C and will be obfuscated by the nature of the platform itself.
The JavaScript port obfuscates/minimizes inherently making this a non-issue there as well.
we use proguard on Android/RIM etc. but not on the desktop builds currently (although we should).
Dexguard is something that we'd like to have but the licensing there is problematic for our structure. Per seat doesn't make sense and their base offer for us is pretty steep, if we have serious demand from large enterprise accounts it might be worth the expense.
For iOS this is unnecessary since the code is translated to native C and will be obfuscated by the nature of the platform itself.
The JavaScript port obfuscates/minimizes inherently making this a non-issue there as well.
jesl...@gmail.com
Aug 6, 2015, 11:02:39 AM8/6/15
to CodenameOne Discussions, jesl...@gmail.com
I see, so if I want to use stronger obfuscation but still would like to use CN1 what would you suggest I do?
Shai Almog
Aug 7, 2015, 12:47:58 AM8/7/15
to CodenameOne Discussions, jesl...@gmail.com
What sort of stronger obfuscation and for what purpose?
jesl...@gmail.com
Aug 7, 2015, 4:31:11 AM8/7/15
to CodenameOne Discussions, jesl...@gmail.com
I have expertise in image enhancement and processing whereby I require stronger obfuscation to protect my intellectual property relating to the algorithms I developed.
Of course the level of obfuscation is determined by the obfuscation software. If you look at the Proguard website, the level of obfuscation ie, the security increases with Dexguard so there is definite merit for people that requires stronger obfuscation.
As for iOS apps, there are plenty of articles stating the possibilities of hacking them. Take a look at products like Cryptanium and Arxan.
I guess one can take a chance with weaker obfuscation, depending on the nature of the app, but in my case its kinda difficult not to seek better protection.
I'd appreciate it If you can provide any advice on stronger protection for intellectual property regarding the use of obfuscation when using CodenameOne.
Thanks!
Jessi
Of course the level of obfuscation is determined by the obfuscation software. If you look at the Proguard website, the level of obfuscation ie, the security increases with Dexguard so there is definite merit for people that requires stronger obfuscation.
As for iOS apps, there are plenty of articles stating the possibilities of hacking them. Take a look at products like Cryptanium and Arxan.
I guess one can take a chance with weaker obfuscation, depending on the nature of the app, but in my case its kinda difficult not to seek better protection.
I'd appreciate it If you can provide any advice on stronger protection for intellectual property regarding the use of obfuscation when using CodenameOne.
Thanks!
Jessi
Shai Almog
Aug 7, 2015, 1:43:22 PM8/7/15
to CodenameOne Discussions, jesl...@gmail.com
Neither dexguard nor native compilation will stop a truly determined hacker. However, getting anything useful out of assembly or even moderately obfuscated code is a job for such a talented individual he might as well develop your algorithm from scratch.
The main value of these tools is to prevent theft not of the IP but of embedded passwords and the whole app hijacking. E.g. if you are building a banking app and use a special password internal to the app in order to access a special restricted API, then that is a weakness that could provide a hacker with access to said API. He doesn't need your banking logic, just the password and he doesn't need to understand the actual app flow. Then the reverse engineering tools would work well and dexguard would make their lives a bit harder (e.g. via string encryption).
We might add such things into our apps but we need enough demand from this from the enterprise side and even banks aren't asking us to do it right now.
The main value of these tools is to prevent theft not of the IP but of embedded passwords and the whole app hijacking. E.g. if you are building a banking app and use a special password internal to the app in order to access a special restricted API, then that is a weakness that could provide a hacker with access to said API. He doesn't need your banking logic, just the password and he doesn't need to understand the actual app flow. Then the reverse engineering tools would work well and dexguard would make their lives a bit harder (e.g. via string encryption).
We might add such things into our apps but we need enough demand from this from the enterprise side and even banks aren't asking us to do it right now.
jesl...@gmail.com
Aug 9, 2015, 12:29:28 PM8/9/15
to CodenameOne Discussions, jesl...@gmail.com
Nowadays, it seems there are countless tutorials on hacking an iOS app in minutes (take a look at tutorial on Arxan). It may not be 100% perfect but its a start.
I notice in the source where we need to specify our CodenameOne account information in String format as well as push credential info and so on. Will proguard obfuscation be enough to protect those information without string encryption?
I read elsewhere you mention you need enterprise account holders to implement big features (like the c# port) but you never quantify the number of enterprise holders needed and now you mention it here. What happens is if I subscribe as an enterprise account and you need another 20 more for something, what will happen to me as an enterprise client? Will it never happen because there isn't enough funding? Such statements makes me nervous :).
I notice in the source where we need to specify our CodenameOne account information in String format as well as push credential info and so on. Will proguard obfuscation be enough to protect those information without string encryption?
I read elsewhere you mention you need enterprise account holders to implement big features (like the c# port) but you never quantify the number of enterprise holders needed and now you mention it here. What happens is if I subscribe as an enterprise account and you need another 20 more for something, what will happen to me as an enterprise client? Will it never happen because there isn't enough funding? Such statements makes me nervous :).
Shai Almog
Aug 9, 2015, 1:32:49 PM8/9/15
to CodenameOne Discussions, jesl...@gmail.com
Most of those hacks for Android and iOS rely on the fact that both platforms store their resources in well defined ways which we don't. Naturally as Codename One becomes more prevalent it would be hackable in a similar way but to a lesser extent since the code we generate is by definition more complex.
It varies on a case by case basis for specific features. E.g. the Windows Phone port that we discussed back then before recent developments from MS: http://www.codenameone.com/blog/login-tutorials-future-of-windows-phone.html
Would mean something between 1 and 2 man years of effort to complete, with such prohibitive costs we need more of a commitment than a single user subscribing month by month. For the JavaScript port we quantified this as two annual enterprise subscriptions which is something we surpassed, I'm not sure if it covered the expenses that incurred though.
String/data encryption is relatively simple though, I believe it shouldn't take more than 2 months work to boost our security level significantly so if one enterprise customer asks for it then we will do it. However, we will probably limit the feature to builds from enterprise customers.
It varies on a case by case basis for specific features. E.g. the Windows Phone port that we discussed back then before recent developments from MS: http://www.codenameone.com/blog/login-tutorials-future-of-windows-phone.html
Would mean something between 1 and 2 man years of effort to complete, with such prohibitive costs we need more of a commitment than a single user subscribing month by month. For the JavaScript port we quantified this as two annual enterprise subscriptions which is something we surpassed, I'm not sure if it covered the expenses that incurred though.
String/data encryption is relatively simple though, I believe it shouldn't take more than 2 months work to boost our security level significantly so if one enterprise customer asks for it then we will do it. However, we will probably limit the feature to builds from enterprise customers.
Reply all
Reply to author
Forward
0 new messages