People are aware that code compiled from languages like C/C++ can also be reverse engineered, right? Yeah, not as easy as Java bytecode; but still easy enough for any dedicated attacker. With decompilers like http://boomerang.sourceforge.net/cando.php
, you get C-ish code that's not significantly harder to read than decompiled Proguard-processed Java code. In both cases you lose most non-public symbols and some structure; in both cases, obfuscation works best for very low-level, self-contained code (i.e. your 1000-line decrypt function) but it's next to useless for most "application-level" code that needs to be well structured and rely on tons of library calls.
Of course native languages make obfuscation better, and make reverse engineering harder. It's just not
orders of magnitude harder. I'll concede native code is a decent defense for "casual" reverse engineering – most programmers can't even read any Assembly (kids these days...) – and even with experts, RE can be significantly more time-consuming that writing similar code from scratch. OTOH, as protection for application secrets encoded into software, forget about it, no level of code obfuscation will protect it from elite hackers. If it can be decoded and executed by a CPU, it can be read and understood by a person.
Now, in the exchange below with +Alex Ruiz
, I think there's some missing context: that +Rennie Allen
is not just some C++ coder that ignores all the above; he works for a company that specializes in securing code for critical functionality such as license enforcement, cryptography, DRM etc. And like you would expect, the programming language is only part of a bag of tricks that includes "...Pre-Damage, Encryption, ... Jailbreak or Root Detection, Checksum, Debugger Detection"
etc. Even with these techniques obfuscation is not infallible, but it can be made sufficiently harder / expensive to achieve its purpose. (But then again, there are commercial Java obfuscators that implement similar techniques like code and resource encryption and tampering detection; Proguard is popular because it's free but it doesn't even try to really secure code. I would describe it only as a good bytecode shrinker/optimizer.) I'm only worried that anyone may be fooled to confuse "very hard" with "impossible". It's OK if a game company uses obfuscation to minimize piracy; it's totally NOT OK if a bank relies on that for any critical aspect of securing their mobile app (security-through-obscurity).