Talsec's Perspective: A Pragmatic Approach to Obfuscation

At Talsec, we firmly believe that a layered security approach is the most effective way to protect mobile applications. Obfuscation is a crucial component of this strategy, acting as a vital deterrent against static analysis. However, we also recognize the trade-offs associated with different obfuscation techniques.

Our Stance on Obfuscation Types

  • Class Name Obfuscation and String Obfuscation: Must-Haves for Sensitive Apps: We consider both class name and string obfuscation as essential baseline security measures for any application handling sensitive data or implementing critical business logic. The relatively low overhead and significant increase in analysis difficulty make them highly valuable in hindering casual attackers and raising the cost for more sophisticated ones. Implementing these techniques should be a standard practice in your mobile app development lifecycle.

  • Control-Flow Obfuscation: Reserved for Algorithm Protection: While control-flow obfuscation can offer a higher degree of protection against reverse engineering of specific algorithms, we believe its application should be carefully considered and generally reserved for scenarios where the application's core algorithm itself is a significant intellectual property asset.

The Challenges of Control-Flow Obfuscation

We acknowledge that control-flow obfuscation can introduce several complexities and potential issues:

  • Increased Integration Complexity: Integrating and configuring control-flow obfuscation tools can be more challenging compared to class and string obfuscation.

  • Potential for Non-Deterministic Bugs: The transformations applied by control-flow obfuscation can sometimes introduce subtle and hard-to-debug issues that may not manifest consistently.

  • Performance Impact: The added complexity in the control flow can potentially lead to performance overhead, impacting the application's responsiveness and battery consumption.

  • App Store Review Issues: Aggressive control-flow obfuscation techniques can sometimes be flagged by app store review processes due to the significant code modifications they introduce.

Our Recommendation for Algorithm Protection

If your application's core algorithm is a critical asset that requires a higher level of protection than class and string obfuscation can provide, we recommend a more targeted approach:

  • Isolate Sensitive Code: Move the algorithm's implementation to code written in a lower-level language like C or C++.

  • Separate Obfuscation: Apply robust obfuscation techniques specifically designed for C/C++ code to this isolated module.

  • Minimize Impact: By isolating the sensitive code, you limit the potential negative impacts of complex obfuscation on the main application codebase, reducing integration challenges, performance concerns, and the risk of introducing widespread bugs.

Last updated