$ git clone https://github.com/ClaudiuGeorgiu/Obfuscapk.git

$ docker --version             
Docker version 19.03.0, build aeac949

$ # Download the Docker image.
$ docker pull claudiugeorgiu/obfuscapk
$ # Give it a shorter name.
$ docker tag claudiugeorgiu/obfuscapk obfuscapk

$ # Make sure to run the command in Obfuscapk/src/ directory.
$ # It will take some time to download and install all the dependencies.
$ docker build -t obfuscapk .

$ docker run --rm -it obfuscapk --help
usage: python3.7 -m obfuscapk.cli [-h] -o OBFUSCATOR [-w DIR] [-d OUT_APK]
...

$ apktool          
Apktool v2.4.0 - a tool for reengineering Android apk files
...

$ jarsigner
Usage: jarsigner [options] jar-file alias
       jarsigner -verify [options] jar-file [alias...]
...

$ zipalign
Zip alignment utility
Copyright (C) 2009 The Android Open Source Project
...

$ # Make sure to run the commands in Obfuscapk/ directory.

$ # The usage of a virtual environment is highly recommended, e.g., virtualenv.
$ # If not using virtualenv (https://virtualenv.pypa.io/), skip the next 2 lines.
$ virtualenv -p python3.7 venv
$ source venv/bin/activate

$ # Install Obfuscapk's requirements.
$ python3.7 -m pip install -r src/requirements.txt

$ cd src/
$ # The following command has to be executed always from Obfuscapk/src/ directory
$ # or by adding Obfuscapk/src/ directory to PYTHONPATH environment variable.
$ python3.7 -m obfuscapk.cli --help
usage: python3.7 -m obfuscapk.cli [-h] -o OBFUSCATOR [-w DIR] [-d OUT_APK]
...

•  Docker image: a local directory containing the application to obfuscate has to be mounted to /workdir in the container (e.g., the current directory "${PWD}"), so the command:
  

  $ obfuscapk [params...]

  becomes:
  

  $ docker run --rm -it -u $(id -u):$(id -g) -v "${PWD}":"/workdir" obfuscapk [params...]

•  From source: every instruction has to be executed from the Obfuscapk/src/ directory (or by adding Obfuscapk/src/ directory to PYTHONPATH environment variable) and the command:
  

  $ obfuscapk [params...]

  becomes:
  

  $ python3.7 -m obfuscapk.cli [params...]

$ obfuscapk --help
obfuscapk [-h] -o OBFUSCATOR [-w DIR] [-d OUT_APK] [-i] [-p] [-k VT_API_KEY] 

•  -w DIR is used to set the working directory where to save the intermediate files (generated by apktool). If not specified, a directory named obfuscation_working_dir is created in the same directory as the input application. This can be useful for debugging purposes, but if it's not needed it can be set to a temporary directory (e.g., -w /tmp/).
•  -d OUT_APK is used to set the path of the destination file: the apk file generated by the obfuscation process (e.g., -d /home/user/Desktop/obfuscated.apk). If not specified, the final obfuscated file will be saved inside the working directory. Note: existing files will be overwritten without any warning.
•  -i is a flag for ignoring known third party libraries during the obfuscation, in order to use less resources, to increase performances and to reduce the risk of errors. The list of libraries to ignore is adapted from LiteRadar project.
•  -p is a flag for showing progress bars during the obfuscation operations. When using the tool in batch operations/automatic builds it's convenient to have progress bars disabled, otherwise this flag should be enabled to see the obfuscation progress.
•  -k VT_API_KEY is needed only when using VirusTotal obfuscator, to set the API key(s) to be used when communicating with Virus Total. Can be set multiple times to cycle through the API keys during the requests (e.g., -k VALID_VT_KEY_1 -k VALID_VT_KEY_2).

$ # original.apk is a valid Android apk file.
$ obfuscapk -o RandomManifest -o Rebuild -o NewSignature -o NewAlignment original.apk

•  since no working directory was specified, a new working directory (obfuscation_working_dir) is created in the same location as original.apk (this can be useful to inspect the smali files/manifest/resources in case of errors)
•  some checks are performed in order to make sure that all the needed files/executables are available
•  the actual obfuscation process begins: the specified obfuscators are executed (in order) one by one until there's no obfuscator left or until an error is encountered
  
  •  when running the first obfuscator, original.apk is decompiled with apktool and the results are stored into the working directory
  •  since the first obfuscator is RandomManifest, the entries in the decompiled Android manifest are reordered randomly (without breaking the xml structures)
  •  Rebuild obfuscator simply rebuilds the application (now with the modified manifest) using apktool, and since no output file was specified, the resulting apk file is saved in the working directory created before
  •  NewSignature obfuscator signs the newly created apk file with a custom certificate contained in this keystore
  •  NewAlignment obfuscator uses zipalign tool to align the resulting apk file
•  when all the obfuscators have been executed without errors, the resulting obfuscated apk file can be found in obfuscation_working_dir/original_obfuscated.apk, signed, aligned and ready to be installed into a device/emulator

•  Trivial: as the name suggests, this category includes simple operations (that do not modify much the original application), like signing the apk file with a new signature.
•  Rename: operations that change the names of the used identifiers (classes, fields, methods).
•  Encryption: packaging encrypted code/resources and decrypting them during the app execution. When Obfuscapk starts, it automatically generates a random secret key (32 characters long, using ASCII letters and digits) that will be used for encryption.
•  Code: all the operations that involve the modification of the decompiled source code.
•  Resources: operations on the resource files (like modifying the manifest).
•  Other

 Uses reflection to invoke dangerous APIs of the Android Framework. In order to find out if a method belongs to the Android Framework, Obfuscapk refers to the mapping discovered by Backes et al.

 Insert junk code. In this case, the junk code is composed by arithmetic computations and a branch instruction depending on the result of these computations, crafted in such a way that the branch is never taken.

 Encrypt asset files.

 This technique modifies the control-flow graph without impacting the code semantics: it adds new methods that invoke the original ones. For example, an invocation to the method m1 will be substituted by a new wrapper method m2, that, when invoked, it calls the original method m1.

 Change the package name and rename classes (even in the manifest file).

 Encrypt constant strings in code.

 Remove debug information.

 Rename fields.

 Given a method, it inserts a goto instruction pointing to the end of the method and another goto pointing to the instruction after the first goto; it modifies the control-flow graph by adding two new nodes.

 Encrypt native libs.

 It exploits the overloading feature of the Java programming language to assign the same name to different methods but using different arguments. Given an already existing method, this technique creates a new void method with the same name and arguments, but it also adds new random arguments. Then, the body of the new method is filled with random arithmetic instructions.

 Rename methods.

 Realign the application.

 Re-sign the application with a new custom signature.

 Insert junk code. Nop, short for no-operation, is a dedicated instruction that does nothing. This technique just inserts random nop instructions within every method implementation.

 Randomly reorder entries in the manifest file.

 Rebuild the application.

 This technique analyzes the existing code looking for method invocations of the app, ignoring the calls to the Android framework (see AdvancedReflection). If it finds an instruction with a suitable method invocation (i.e., no constructor methods, public visibility, enough free registers, etc.) such invocation is redirected to a custom method that will invoke the original method using the Reflection APIs.

 This technique consists of changing the order of basic blocks in the code. When a branch instruction is found, the condition is inverted (e.g., branch if lower than, becomes branch if greater or equal than) and the target basic blocks are reordered accordingly. Furthermore, it also randomly re-arranges the code abusing goto instructions.

 Encrypt strings in resources (only those called inside code).

 Send the original and the obfuscated application to Virus Total. You must provide the VT API key (see -k option).

• Simone Aonzo - Research Assistant
• Gabriel Claudiu Georgiu - Core Developer
• Luca Verderame - Postdoctoral Researcher
• Alessio Merlo - Faculty Member