-
Type:
Task
-
Resolution: Done
-
Priority:
Medium
-
Affects Version/s: None
-
FLW Sprint 37, FLW Sprint 38, FLW Sprint 39
-
FLW Mobile App
-
All
Application code is not obfuscated, enabling easy reverse engineering.
Impact:
Allows extraction of logic, APIs, keys, and sensitive components.
| Vulnerability Name | Vulnerable URL | CVE/CWE | CVSS Score | Overall Risk (Severity) |
Observation / Description | Impact | Recommendation | Reference | Steps to reproduce |
| Android Application | Lack of code obfuscation | CWE-667 | 3.6 | Low | When developers do not obfuscate the code when compiling the binary, an attacker can decompile the code using tools such as JD GUI. | This vulnerability can lead to the following business risks for the organization that owns the risk app as mentioned below: • Decompiling the source code of application • Debugging the application • Accessing the internal structure of application can lead to cracked version of the application. |
In order to prevent effective reverse engineering, you must use an obfuscation tool. There are many free and commercial grade obfuscators on the market. Conversely, there are many different deobfuscators on the market. To measure the effectiveness of whatever obfuscation tool you choose, try deobfuscating the code using tools like IDA Pro and Hopper. A good obfuscator will have the following abilities: 1. Narrow down what methods / code segments to obfuscate; 2. Tune the degree of obfuscation to balance performance impact; 3. Withstand de-obfuscation from tools like IDA Pro and Hopper; 4. Obfuscate string tables as well as methods | https://owasp.org/www-project-mobile-top-10/2016-risks/m9-reverse-engineering | Step 1: During security assessment, we decompiled the apk by using Jadx-gui to get the file com.piramalswasthya.sakhi After that, we noticed that app code wasn’t obfuscated which gives illegal attacker the opportunity to get all the insight of the application through the source code. |
