I want to hide Deobfuscator on Reverse Engineering

[Faiyyaz]

I want to hide your deobfuscator class because if i didn't do it then everybody will be able to decode the string used in my project using the array return in the class.

So please help me and sorry for the disturbance.

[MichaelRocks]

@Faiyyaz The best approach would be to use a code obfuscator like ProGuard.

[Faiyyaz]

I m using the same but it just changes the class name to something else and i can guess the encryption and break it.

And if you have any prograud example file can you share the same with me if possible where all the strings get hidden on reverse engineering

[MichaelRocks]

Unfortunately there's no way to hide obfuscated strings so that they cannot be deobfuscated. The idea is simple: if your app can deobfuscate strings, why somebody else cannot? So the best thing you can do is to make obfuscated string harder to find in decompliled code.

[Faiyyaz]

Can you provide me some help or example of proguard which you may have used in your projects?

[MichaelRocks]

I recommend you to start with this tutorial: https://developer.android.com/studio/build/shrink-code.html

You should set minifyEnabled true in build.gradle but probably you'll face some ProGuard-related bugs.

[Faiyyaz]

I have done the same in my project but the hardcoded string is still visible as before that's why i was using your library thinking that it can do the encryption part

On 26-Apr-2017 3:20 PM, "Michael Rozumyanskiy" notifications@github.com wrote:

I recommend you to start with this tutorial: https://developer.android.com/studio/build/shrink-code.html

You should set minifyEnabled true in build.gradle but probably you'll face some ProGuard-related bugs.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MichaelRocks/paranoid/issues/6#issuecomment-297325404, or mute the thread https://github.com/notifications/unsubscribe-auth/ARRujLsIMhBbxrLCvpAOhGCPxiRTlJyaks5rzxNkgaJpZM4NIgOE .

[MichaelRocks]

Yep, ProGuard doesn't obfuscate strings but if you obfuscate your strings with Paranoid and then obfuscate the app with ProGuard original strings shouldn't be visible anymore.

[Faiyyaz]

You are extremely right Micheal but the thing is as you can see in the screenshot attached in the issue the thing is on reverse engineering anyone can compile the string using deofuscator class

[MichaelRocks]

But if Deobfuscator class is obfuscated by ProGuard it becomes much harder to find. How do you think obfuscated strings should look like so nobody can deobfuscate them?

[Faiyyaz]

Hmm i know you are right at your side but i want like suppose there is a login page where i have param key "mobile" so it should be change to some string which is not readable on reverse engineering

[MichaelRocks]

That's exactly what will happen if you process your project with Paranoid. There will be no hardcoded strings. Instead you'll see calls to Deobfuscator with some integer arguments. However, if someone wants to deobfuscate those strings and puts enough effort into reverse engineering of your app she'll be able to do that.

[Faiyyaz]

Yes thank you for the time and your help and everything.

[harikatam]

Sorry to write it now - but i was checking if we can rename the deobfuscator class using proguard in your plugin - which will be harder to find the class