In software development, securing the application source code is important. When delivering client applications, there is a chance that attackers will decompile the application through reverse engineering to get the application source code.

To secure a client application, there is a technique called Obfuscation. With obfuscation, the source code is no longer useful/human-readable for attackers but keeps the full functionalities. The obfuscation process will modify the source code metadata or instructions and include the following possible strategies:

• Rename classes, methods, and variables

• Modify program structures

• Transform arithmetic and logical expressions

• Encrypt strings, classes, etc.

• Remove metadata

Applying the obfuscation process can make the applications difficult to decompile and hard to understand the logic. That said, this technique can secure the source code by making the source code difficult for humans to read. Now, the attacker is hard to reverse engineer an application after applying obfuscation.

Unlike encryption, obfuscation does not need a secret key to encode the original content. It is more like an encoding because it can be reversed by using the same algorithm that obfuscated it. But the purpose of obfuscation is different from the encoding. The purpose of encoding is converting data to a system-readable format, but for obfuscation, its purpose is to prevent people from understanding the actual meaning and is often used in protecting application source code.

Read more about Encoding:

Awesome Software Engineer

Hashing vs Encryption vs Encoding

In software development, hashing, encryption, and encoding are used a lot in different scenarios. Getting confused with these concepts may lead to falling into security traps. After reading this post, I expect you will understand the difference between them…

Read more

2 years ago · Ray Chong

Let’s take JavaScript Obfuscation as an example:

The actual source code:

function hi() {
  console.log("Hello World!");
}
hi();

After applying obfuscation:

function _0x1e50(_0x2bf844,_0xfd6b81){var _0x2b3071=_0x2b30();return _0x1e50=function(_0x1e502d,_0x595ceb){_0x1e502d=_0x1e502d-0xb7;var _0x2853eb=_0x2b3071[_0x1e502d];return _0x2853eb;},_0x1e50(_0x2bf844,_0xfd6b81);}function _0x2b30(){var _0x1687cc=['2428eByxld','1797OjHlVo','406284uKGFQT','7TzXasg','3522618PRXUxT','5927576hmAJCg','1859764mpnZMM','4503700sUCuhs','Hello\x20World!','log','35MoCKqC','802871wlLytj'];_0x2b30=function(){return _0x1687cc;};return _0x2b30();}(function(_0x1f62f4,_0x976ec){var _0x2e0bcb=_0x1e50,_0x3ca39a=_0x1f62f4();while(!![]){try{var _0x1a207a=parseInt(_0x2e0bcb(0xc0))/0x1+parseInt(_0x2e0bcb(0xc1))/0x2*(parseInt(_0x2e0bcb(0xc2))/0x3)+-parseInt(_0x2e0bcb(0xbb))/0x4+-parseInt(_0x2e0bcb(0xbf))/0x5*(parseInt(_0x2e0bcb(0xb7))/0x6)+-parseInt(_0x2e0bcb(0xb8))/0x7*(-parseInt(_0x2e0bcb(0xba))/0x8)+-parseInt(_0x2e0bcb(0xb9))/0x9+-parseInt(_0x2e0bcb(0xbc))/0xa;if(_0x1a207a===_0x976ec)break;else _0x3ca39a['push'](_0x3ca39a['shift']());}catch(_0x5f3705){_0x3ca39a['push'](_0x3ca39a['shift']());}}}(_0x2b30,0x77b35));function hi(){var _0x106bbf=_0x1e50;console[_0x106bbf(0xbe)](_0x106bbf(0xbd));}hi();

Now, the source code is totally unreadable by humans but the functionality is still the same as the actual code.

JavaScript Obfuscator: https://obfuscator.io/

This technique can be applied to different programming languages like Java, C#, Python, etc.

To sum up, obfuscation can protect the application source code by modifying the instructions and metadata but it may decrease the application performance, even if it is minor.

Share Awesome Software Engineer

Follow Our LinkedIn