Code Obfuscation

Hi there,

I’ve searched the forums but can’t get a clear picture of this issue.

Is there any way of anyone reverse engineering a version of our app that has been published out for either iOS or Android via Corona?

I’m a PRO subscriber and am using our own keystore for Android (not the debug one).

I saw this info here: http://forums.coronalabs.com/topic/39625-proguard-on-pro-version/ and got the impression that all code published out via the PRO version would be obfuscated but another thread I read suggested that anyone with the right tools could reverse engineer any APK file and get all the variable names etc. quite easily.

Any help would be much appreciated.

Many thanks,

Ian

Hi.

1. Corona does not do anything explicit to obfuscate LUA code.

2. You can find Lua obfuscators on the web, but if you want a small headstart, go here: http://roaminggamer.com/big-list-of-resources/ and search for the phrase  Lua Obfuscators

Cheers,

-Ed

>> Is there any way

Any way??  Sure.  Someone willing to put the time in?  Depends - are you writing another flappy clone or a front end to Bank America?  And to what degree “reverse engineer”?  Fully reconstruct source code?  No.  Scrape a few ‘secrets’?  Likely.

tho keep in mind that, at best, a *source code* obfuscator will be minimally effective.  why?  cuz your source code isn’t distributed in the first place, so whitespace and comment removal don’t matter, and compiled code (w/ release key) is lacking debug information (so local variable/function names aren’t present anyway, so why bother mangling their names?).  and on the flip side, obfuscators can’t “safely” rename globals given the nature of Lua, so those aren’t going to get obfuscated (much) either way, and will be present (by name) in compiled code.  (of course, you can manually assign nonsense names to your globals - but that’ll just slow down a determined hacker rather than prevent)

btw, i’m using “global” somewhat generically here, to mean anything beyond current local scope (in which case the environment is accessed by index not name) - just run “luac -l” on something if you’re not sure what survives.  Strings definitely survive, including where used as table keys, so your facebook app ID, or admob id, or other such “secret” stuff is probably plainly visible in the compiled code.  (particularly if it were stored like this:  mySecretStuff[“FacebookAppID”]=“fb1234567890” - hacker would have all the clues they need)

Thanks for the responses guys. Much appreciated.

The app I’m considering building needs a reasonable amount of security but we’re not talking about people’s financial information or anything.

I’d like a way to make it as difficult as possible for people to gain access to variable names / the actual values assigned to those variables.

If I was assigning a string, say “Hello” to a variable called “Variable”, how would I make it as hard as possible for someone to get at the value “Hello”. Does that make sense?

I know I can encrypt it using base64 for example (or even SHA) but the original value would still be stored somewhere in the code.

Any experience with this / ideas much appreciated.

Thanks,

Ian

Hi.

1. Corona does not do anything explicit to obfuscate LUA code.

2. You can find Lua obfuscators on the web, but if you want a small headstart, go here: http://roaminggamer.com/big-list-of-resources/ and search for the phrase  Lua Obfuscators

Cheers,

-Ed

>> Is there any way

Any way??  Sure.  Someone willing to put the time in?  Depends - are you writing another flappy clone or a front end to Bank America?  And to what degree “reverse engineer”?  Fully reconstruct source code?  No.  Scrape a few ‘secrets’?  Likely.

tho keep in mind that, at best, a *source code* obfuscator will be minimally effective.  why?  cuz your source code isn’t distributed in the first place, so whitespace and comment removal don’t matter, and compiled code (w/ release key) is lacking debug information (so local variable/function names aren’t present anyway, so why bother mangling their names?).  and on the flip side, obfuscators can’t “safely” rename globals given the nature of Lua, so those aren’t going to get obfuscated (much) either way, and will be present (by name) in compiled code.  (of course, you can manually assign nonsense names to your globals - but that’ll just slow down a determined hacker rather than prevent)

btw, i’m using “global” somewhat generically here, to mean anything beyond current local scope (in which case the environment is accessed by index not name) - just run “luac -l” on something if you’re not sure what survives.  Strings definitely survive, including where used as table keys, so your facebook app ID, or admob id, or other such “secret” stuff is probably plainly visible in the compiled code.  (particularly if it were stored like this:  mySecretStuff[“FacebookAppID”]=“fb1234567890” - hacker would have all the clues they need)

Thanks for the responses guys. Much appreciated.

The app I’m considering building needs a reasonable amount of security but we’re not talking about people’s financial information or anything.

I’d like a way to make it as difficult as possible for people to gain access to variable names / the actual values assigned to those variables.

If I was assigning a string, say “Hello” to a variable called “Variable”, how would I make it as hard as possible for someone to get at the value “Hello”. Does that make sense?

I know I can encrypt it using base64 for example (or even SHA) but the original value would still be stored somewhere in the code.

Any experience with this / ideas much appreciated.

Thanks,

Ian