search

MohGovIL / Ramzor

https://corona.health.gov.il/en/ramzor-model
Creative Commons Zero v1.0 Universal
20 stars 11 forks source link

Disable obfuscation of binaries/app #19

Open emanuelb opened 2 years ago

emanuelb commented 2 years ago
  1. Disable AppDome obfuscation

The Android APK contain libloader.so files in: ./lib/arm64-v8a & ./lib/armeabi-v7a folders.

running strings on libloader.so file return:

clang version 8.0.0 (tags/RELEASE_390/final) (git@gitlab.appdome.com:appdome/obfuscating-compiler.git 7bea07162c30f6878668d473b5d5fd2bb18fc253)

Also running APKiD https://github.com/rednaga/APKiD on the APK file return:

[+] APKiD 2.1.2 :: from RedNaga :: rednaga.io
[*] /input/com.moh.alert.ramzor.apk!classes.dex
 |-> anti_vm : Build.MANUFACTURER check, possible Build.SERIAL check
 |-> compiler : dexlib 2.x
 |-> protector : Appdome (dex)
[*] /input/com.moh.alert.ramzor.apk!classes2.dex
 |-> compiler : dexlib 2.x
[*] /input/com.moh.alert.ramzor.apk!lib/arm64-v8a/libloader.so
 |-> protector : Appdome
[*] /input/com.moh.alert.ramzor.apk!lib/armeabi-v7a/libloader.so
 |-> protector : Appdome

Thus Appdome used to obfuscate "protect" app code which makes it's harder to understand what this file is doing

  1. Disable ProGuard/R8 Obfuscation

this can be done by setting minifyEnabled false in build.gradle (if gradle used to build the app) or by adding -dontobfuscate to proguard-rules.pro file, the obfuscation is what need to be disabled, both shrink &optimization can be enabled, more info: https://developer.android.com/studio/build/shrink-code

Fix: avoid all obfuscation/minification of the app & publish the source-code of the app as well! when the source-code is published enabling minifcation is OK when the build process is reproducible.