App obfuscation

Enabling full app obfuscation requires thorough and detailed knowledge of the app, its components, and any third-party libraries that are used. If problems occur with obfuscation, use the following troubleshooting strategies:

  • Detect and remove reflection to avoid issues with renaming during obfuscation.
  • Adjust the rules list to prevent individual code parts from being obfuscated.

When troubleshooting obfuscation, shielding the application in debug mode can help you identify issues. To enable shielding in debug mode, use the Debug option on the OneSpan Customer Portal or OneSpan Mobile Portal.

Detect reflection

Reflection can cause problems when used in combination with app obfuscation. It includes uses of Class.forName, Class.getMethod, Class.getField etc., as well as native libraries access of Java classes/members through JNI.

Custom views in layout XML files are also created through reflection. App Shielding attempts to parse through these XML files and updates references to these classes.

Reflection can come with additional problems that complicate troubleshooting obfuscation:

  • Crash reporting tools (e.g. Crashlytics) may consume exceptions, which makes it more difficult to detect issues. If the app crashes too early, crash reporting tools will not be able to record these crashes.
  • Exceptions from failed reflection may be caught and not output to console. This can lead to future issues (e.g. NullPointerException), when a different section of the code tries to use objects instantiated by the failed reflection.

The Android Studio debugger can help you identify cases of reflection. It can detect reflections even when an UncaughtExceptionHandler is used, or when exceptions that later lead to crashes are swallowed by try/catches.

To debug with Android Studio

  1. Compile and build the app in debug mode.
  2. On the test device or emulator, go to Settings > Developer options > Select debug app, and enable the Wait for debugger option.
  3. Select the app to debug.
  4. Start the app. The message "Waiting for debugger" is displayed.

  5. In Android Studio, set breakpoints in locations as needed:

    • Class.forName, Class.getMethod, Class.getField
    • Constructor for java.lang.ReflectiveOperationException
    • Constructor for java.lang.NullPointerException

    When navigating these classes, you need to select the correct source depending on the operating system version on the device.

    You can set these breakpoints to Evaluate and log instead of suspending them. You can also use a condition so that they will only react when they are about to return null or throw an exception.

  6. In Android Studio, go to Run > Attach Debugger to Android Process.
  7. In the Choose process dialog, select the app and click OK.

  8. Debug through the app.

    Each time reflection is used or fails, verify whether the name requested in the reflection reverts to the pre-obfuscated name. If it does, check whether the code section that performs the reflection can be updated to no longer use reflection.

    Alternatively, you can add the requested names to the rules list, which will prevent them from being obfuscated. For more information about and options to modify the rules list, see Adjust the rules list and Configuration of Shielding Tool rules.

  9. Repeat steps 2, 7, and 8 for all cases of reflection in the app.

Adjust the rules list

In the rules list, you need to specify how Mobile Application Shielding will modify your app in the context of obfuscation. The rules list is located on the Configuration Page of the OneSpan Customer Portal or in the OneSpan Mobile Portal.

To modify the rules list

  1. In a web browser, go to the OneSpan Customer Portal or OneSpan Mobile Portal and sign in.

  2. Select the configuration for which you need to adjust the rules list.

  3. Under Settings, add, edit, or remove exclusion rules as needed.

When troubleshooting obfuscation, it is important to keep in mind that adjusting the rules list is usually not a straightforward process but involves some fine-tuning and trial-and-error. There are various options you can use to modify individual code parts via obfuscation, or to prevent them from being obfuscated. For a detailed list of class and member operations you can use to adjust obfuscation, see Configuration of Shielding Tool rules.