Native Code Obfuscation

[falt008]

Use case

Our App is using the package https://github.com/jeroentrappers/flutter_jailbreak_detection to detect Jailbreak on iOS and prevent usage of the App if it is detected. Recently we commissioned a company to pen test the app. One of the findings was that the Jailbreak detection could be easily circumvented by using a publicly known exploit with their reverse engineering suite Frida (https://github.com/CyberCX-STA/flutter-jailbreak-root-detection-bypass/blob/main/flutter-jb-bypass-ios-short.js).

This seems to work by overriding the return value of the native function amIJailbroken of the CocoaPod dependency IOSSecuritySuite which is used by the package to detect if the device is Jailbroken.

Interceptor.attach(Module.findExportByName("IOSSecuritySuite", "$s16IOSSecuritySuiteAAC13amIJailbrokenSbyFZ"), {
  onLeave: function(retval) {
    retval.replace(0x0);
  }
});

When you build a release version of your app with code obfuscation enabled it seems to me that only dart code is obfuscated. I verified this by building the app with:

flutter build ipa --flavor prod -t lib/src/flavor/main_prod.dart --no-tree-shake-icons --obfuscate --split-debug-info=/tmp/info --export-method enterprise

And then unzipping the ipa file and use grep to search for the symbol name. Which is found.

falt008@mac-falt008 Runner.app % grep -Rin '$s16IOSSecuritySuiteAAC13amIJailbrokenSbyFZ'
Binary file ./Frameworks/flutter_jailbreak_detection.framework/flutter_jailbreak_detection matches
Binary file ./Frameworks/IOSSecuritySuite.framework/IOSSecuritySuite matches

Proposal

It would be awesome if flutter supported code obfuscation of the native iOS and Android code (including their dependencies) to make it harder for attackers to change the behavior of the app which is determined by native code. With native code obfuscation an attacker has to have more reverse engineering knowledge and invest more effort instead of using an "off the shelf" exploit.

If there currently is a way to do native code obfuscation please let me know.

[danagbemava-nc]

Hi @falt008, do you use proguard & r8 for your android app? I think for android it should suffice. That is what the android docs recommend https://developer.android.com/build/shrink-code#obfuscate

[falt008]

Hi @danagbemava-nc, we currently do not have an Android Version of our App - only iOS. Does progruard solve this issue (including dependencies) for Android?

[danagbemava-nc]

Hi @falt008, afaik, using proguard & r8 should resolve this for android. Although, a motivated attacker can still get sensitive data in your code if you don't employ additional security measures. Regarding iOS, do you know of any way (without third-party intervention) to obfuscate the code?

[falt008]

@danagbemava-nc As I have few experience with native iOS development I don't know any way to do this. I found some third party obfuscation tools but most of them seem to be deprectated or have to be licensed (SwiftShield, obfuscator-llvm, iXGuard). I guess you would also need a way to obfuscate Objective C Code if it is still used by some packages to do native implementation? I don't know how widely used is Objective C compared to Swift.

[danagbemava-nc]

I also tried searching online for ways to obfuscate iOS/swift code but I saw the same libraries that you did which were either not maintained or required a license.

This however seems like a good feature to support if we can. I'm not entirely familiar with what obfuscation support is like for the other platforms flutter supports as well so I'll be labeling this as a proposal for further insight from the team.