The Importance of Code Obfuscation and Polymorphism to Application Security
Share
Commentary
The Importance of Code Obfuscation and Polymorphism to Application Security
April 1, 2023
Table of Contents
By making source, byte, or machine code significantly more difficult to understand by humans, code obfuscation stands as an essential aspect of application security due to its consistent role in making it annoyingly complicated (if not nearly impossible) for attackers to reverse engineer code in any timely fashion.
Obviously, that’s important because vulnerable code could potentially reveal the application’s inner workings and its exploitable vulnerabilities. Obfuscated code is also far less susceptible to tampering, making it an essential component for ensuring applications’ code integrity.
8 Code Obfuscation Techniques
Code obfuscation techniques modify the code in such a way that it is still functional, and has a negligible impact on performance and memory footprint, yet is harder for cybercriminals to analyze. However, not all obfuscation solutions are the same.
Open-source approaches tend to focus on “minimizing” the app, with code obfuscation simply becoming a side-effect. This type of obfuscation doesn’t offer a barrier to attack. For strong obfuscation, control flow and other advanced techniques are required.
Some obfuscation techniques that are not typically present in open-source solutions include:
01
APK Manipulation
Adds dead or mutated code, increasing the app’s complexity without adding any data to the original flow of the functions. This technique makes the application more difficult to read without impacting its data flow or functions.
02
Mutated Conditional Code Insertion
Duplicates and changes legitimate code into dead code to confuse attackers.
03
Loop Unrolling
Changes loops to repeatable instances to stop pattern matching by altering the standard patterns that attackers typically seek out (including cryptographic patterns). This makes patterns too large to use pattern matching to catch a pattern.
04
Literal Values Substitution
Literal values are obfuscated and will not show up in the code during static analysis. Instead, they will be calculated during runtime when required by the application.
05
String Obfuscation
Strings are obfuscated and unreadable during static analysis. They will only be generated during runtime when the application requires them.
06
Go To Insertions
Adds redirects in the code to move from code block to code block, thus hiding the code structure.
07
Section Encryption
Encrypts the whole section of the binary, making it unreadable through static analysis. This technique applies to URLs and SQL statements used by applications, decreasing the chance of attackers reverse-engineering sensitive values.
08
Crypto-Vars
An enhanced version of section encryption that works in the application’s runtime. Values will be globally decrypted during runtime for the application to use when necessary. Once used, the values will be re-encrypted.
While code obfuscation allows for delaying reverse engineering attempts by making the code harder to analyze, malicious actors who analyze the code thoroughly can, given enough time, most likely understand the code and overcome the obfuscation. In response to such a situation, organizations need to be sure they employ multiple layers of protection in their RASP suite.
Polymorphism
In addition to RASP dynamic checks, which block debugging, hooking, proxy, and rooting attempts, static protections must also be in place, including the above obfuscation techniques and more tactics.
One of such tactics is code polymorphism – a technique that involves actively changing the code of an application during each of its compilation stages. Code polymorphism leads to a different result on each compilation, even though the source code did not change.
This type of protection makes it difficult for attackers to use information they gathered through experience, forcing them to begin from scratch for every build. The combination of multiple layers of code obfuscation and code polymorphism are some factors that provide organizations with far greater reverse engineering protection.
Overall, code obfuscation and code polymorphism serve as potent tools that make the reverse engineering process exponentially more difficult for malicious actors and prevent them from gaining unauthorized access to sensitive data or disrupting the operation of the application.
As a result, implementing these techniques allows businesses and organizations to ensure the security of their applications and protect against potentially devastating attacks.
Through this approach, the multi-layered application security method that includes both static and dynamic measures, allows for an enhanced scope of protection by having different security measures in different layers working together to protect against the ever-expanding attack vectors.
For information on Verimatrix’s zero-code injection technology stack and its numerous application security innovations, click here.
Master the art of code obfuscation and polymorphism
Protect your applications from malicious attacks! Sign up for our newsletter to learn about the latest techniques in code obfuscation and polymorphism for robust application security.
Written by
Dr. Klaus Schenk
Dr. Klaus Schenk is senior vice president of security and threat research at Verimatrix and serves as head of its VMX Labs.
Commentary
The Importance of Code Obfuscation and Polymorphism to Application Security
Table of Contents
By making source, byte, or machine code significantly more difficult to understand by humans, code obfuscation stands as an essential aspect of application security due to its consistent role in making it annoyingly complicated (if not nearly impossible) for attackers to reverse engineer code in any timely fashion.
Obviously, that’s important because vulnerable code could potentially reveal the application’s inner workings and its exploitable vulnerabilities. Obfuscated code is also far less susceptible to tampering, making it an essential component for ensuring applications’ code integrity.
8 Code Obfuscation Techniques
Code obfuscation techniques modify the code in such a way that it is still functional, and has a negligible impact on performance and memory footprint, yet is harder for cybercriminals to analyze. However, not all obfuscation solutions are the same.
Open-source approaches tend to focus on “minimizing” the app, with code obfuscation simply becoming a side-effect. This type of obfuscation doesn’t offer a barrier to attack. For strong obfuscation, control flow and other advanced techniques are required.
Some obfuscation techniques that are not typically present in open-source solutions include:
01
APK Manipulation
Adds dead or mutated code, increasing the app’s complexity without adding any data to the original flow of the functions. This technique makes the application more difficult to read without impacting its data flow or functions.
02
Mutated Conditional Code Insertion
Duplicates and changes legitimate code into dead code to confuse attackers.
03
Loop Unrolling
Changes loops to repeatable instances to stop pattern matching by altering the standard patterns that attackers typically seek out (including cryptographic patterns). This makes patterns too large to use pattern matching to catch a pattern.
04
Literal Values Substitution
Literal values are obfuscated and will not show up in the code during static analysis. Instead, they will be calculated during runtime when required by the application.
05
String Obfuscation
Strings are obfuscated and unreadable during static analysis. They will only be generated during runtime when the application requires them.
06
Go To Insertions
Adds redirects in the code to move from code block to code block, thus hiding the code structure.
07
Section Encryption
Encrypts the whole section of the binary, making it unreadable through static analysis. This technique applies to URLs and SQL statements used by applications, decreasing the chance of attackers reverse-engineering sensitive values.
08
Crypto-Vars
An enhanced version of section encryption that works in the application’s runtime. Values will be globally decrypted during runtime for the application to use when necessary. Once used, the values will be re-encrypted.
While code obfuscation allows for delaying reverse engineering attempts by making the code harder to analyze, malicious actors who analyze the code thoroughly can, given enough time, most likely understand the code and overcome the obfuscation. In response to such a situation, organizations need to be sure they employ multiple layers of protection in their RASP suite.
Polymorphism
In addition to RASP dynamic checks, which block debugging, hooking, proxy, and rooting attempts, static protections must also be in place, including the above obfuscation techniques and more tactics.
One of such tactics is code polymorphism – a technique that involves actively changing the code of an application during each of its compilation stages. Code polymorphism leads to a different result on each compilation, even though the source code did not change.
This type of protection makes it difficult for attackers to use information they gathered through experience, forcing them to begin from scratch for every build. The combination of multiple layers of code obfuscation and code polymorphism are some factors that provide organizations with far greater reverse engineering protection.
Overall, code obfuscation and code polymorphism serve as potent tools that make the reverse engineering process exponentially more difficult for malicious actors and prevent them from gaining unauthorized access to sensitive data or disrupting the operation of the application.
As a result, implementing these techniques allows businesses and organizations to ensure the security of their applications and protect against potentially devastating attacks.
Through this approach, the multi-layered application security method that includes both static and dynamic measures, allows for an enhanced scope of protection by having different security measures in different layers working together to protect against the ever-expanding attack vectors.
For information on Verimatrix’s zero-code injection technology stack and its numerous application security innovations, click here.
Master the art of code obfuscation and polymorphism
Written by
Dr. Klaus Schenk
Dr. Klaus Schenk is senior vice president of security and threat research at Verimatrix and serves as head of its VMX Labs.
Share this cybersecurity insight
Other cybersecurity insights
Salt Typhoon Exposes Critical Gaps in Mobile Security: CISA Reacts
When Apps Attack: HGS Hack, F@c! Messages and Bitcoin Ransoms
BoneSpy & PlainGnome: The Spyware Duo Disguised as Trusted Apps
Decoding Remo: The Evolving Android Banking Trojan