Link Search Menu Expand Document

Non-obfuscated APK Vulnerability in Android

Play SecureFlag Play Android Labs on this vulnerability with SecureFlag!

  1. Non-obfuscated APK Vulnerability in Android
    1. Description
    2. Impact
    3. Prevention
    4. References

Description

From the Intellectual Property (IP) perspective, Android applications are similar to web applications: despite everything, the source code (more specifically, the bytecode) is executed in an environment partially or fully in control of the user. This means that they, the user, can ultimately inspect, decompile, and analyze the bytecode as they please.

Impact

A non-minified application could disclose important details about the algorithm or the general code flow of the application. An attacker could leverage such information to gain precious insight into not only the app itself but also the communication that is possibly exchanged with vendor application servers.

Prevention

Developers concerned about the IP of their source code may consider obfuscating or minifying the APK before releasing it to the public. In a typical Android Studio project, this can be enabled by setting the minifyEnabled field to true in the relevant build.gradle file:

android {
    // ...

    buildTypes {
        release {
            minifyEnabled true
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
        }
    }

    // ...
}

It is important to understand, though, that a perfect obfuscation is impossible. Developers should think about minification more as a deterrent than a solution and never store sensitive material (e.g., encryption keys, passwords, etc.) in the source code.

References

[Shrink, obfuscate, and optimize your app Android Developers](https://developer.android.com/studio/build/shrink-code)