Can i decompile then use DeobfuscatorHelper to get my string?

[tracer8]

Hi, After use Paranoid, i try to decompile my app and i can know:

• Paranoid is obfuscate library
• Chunks of obfuscate strings
• Method use to deobfuscate string. So my question is, if i'm decompile person, and i want to know what string you obfuscate, can i use your lib method: DeobfuscatorHelper to get string from Chunks i saw from decompiler tool?

[MichaelRocks]

Hi, You can deobfuscate strings if you now their ids. So you have to extract all ids from the bytecode at first.

[tracer8]

Hi, I'm just use 1 simple decompile tool to decompile my android dex file, then all show up like this image bellow, look like it is easy to do.

[MichaelRocks]

Yep, but this tool is expected to be used with an obfuscator like ProGuard/R8. And even when obfuscated it's not extremely difficult to deobfuscate strings. If you really need to hide something you shouldn't store it within the app and should use native code to work with sensitive data.

[tracer8]

Oh, i got it, at least we can make decompiler have more work to do before he can leak our code. Thank you!

[MichaelRocks]

In the last update the obfuscation was improved and now you cannot easily dump all strings without processing all the bytecode. Unfortunately deobfuscation still is an easy thing to do if one is interested and ready to spend some time. Moreover it can be automated.

I believe string obfuscation should be mixed with some other techniques like decompilation protection and code obfuscation but anyway deobfuscation will be possible.

If you have some ideas how to make obfuscation stronger feel free to share. I'll try and implement them with a great pleasure.