Sherlocked Security – Mobile App Hardening & Obfuscation

Protect Mobile Applications from Reverse Engineering and Tampering

1. Statement of Work (SOW)

Service Name: Mobile App Hardening & Obfuscation
Client Type: Mobile App Developers, Enterprises, SaaS Providers, FinTechs
Service Model: Static & Dynamic Mobile App Hardening – Manual + Automated
Compliance Coverage: OWASP Mobile Top 10, PCI-DSS, GDPR, SOC 2, ISO 27001

Assessment Types:

Mobile App Reverse Engineering Protection
Code Obfuscation & Encryption
Tamper Detection & Prevention
Root/Jailbreak Detection
Data Leakage Prevention
Secure Communication (TLS) Review
Binary Security Testing

2. Our Approach

[Initial App Mapping] → [Automated Static Analysis] → [Obfuscation Techniques] → [Root/Jailbreak Detection] → [Runtime Protection Mechanisms] → [Tamper Detection & Prevention] → [Risk Reporting] → [Remediation Support] → [Revalidation]

3. Methodology

[Static Code Review] → [Dynamic Analysis on Device/Emulator] → [Obfuscation and Code Hardening] → [Anti-Tampering Mechanisms] → [Security Controls Implementation] → [Custom Test Case Execution] → [False Positive Review] → [Report Delivery]

4. Deliverables to the Client

Mobile App Hardening & Obfuscation Report
Vulnerability Summary (OWASP Mobile Top 10 Mapped)
Screenshots and Proof-of-Concepts (PoCs)
App Code Obfuscation Summary
Root/Jailbreak Detection Results
Data Leakage Prevention Report
Tamper Detection & Prevention Summary
Remediation Recommendations with Examples
Revalidation Report Post-Fix
Optional: CI/CD Integration Guidelines

5. What We Need from You (Client Requirements)

Source code of the mobile application (iOS/Android)
Access to app build tools or CI/CD pipeline for deployment
Target device specifications (iOS/Android versions, screen sizes)
List of external libraries or SDKs integrated into the app
NDA and scope sign-off prior to engagement

6. Tools & Technology Stack

ProGuard / R8 (Android)
iXGuard (iOS)
Obfuscator-LLVM (iOS/Android)
Burp Suite for Mobile App Proxy Testing
Frida, Xposed Framework for Runtime Manipulation
JADX, APKTool for Reverse Engineering
MobSF (Mobile Security Framework)
iOS Keychain & Secure Storage Testing Tools
Root/Jailbreak Detection Tools

7. Engagement Lifecycle

1. Kickoff & Scope Definition → 2. App Access & Code Setup → 3. Static & Dynamic Hardening Phase (2–3 weeks typical) → 4. Report Draft → 5. Remediation Advisory → 6. Revalidation Scan → 7. Final Report + Certificate

8. Why Sherlocked Security?

Feature	Sherlocked Advantage
Automated & Manual Hardening	Hybrid approach combining static analysis and dynamic protection methods
Reverse Engineering Resistance	Code obfuscation & anti-debugging to prevent tampering
Root/Jailbreak Detection	Advanced detection techniques to prevent app manipulation on rooted/jailbroken devices
Secure Data Storage	Ensures sensitive data is protected with strong encryption & secure storage practices
Custom Test Case Execution	Tailored to app-specific business logic and security concerns
Comprehensive Reporting	Provides actionable insights and security remediation guidance
Ongoing Support & Revalidation	Helps ensure that the app remains secure after each release

9. Real-World Case Studies

Healthcare App: Preventing Reverse Engineering of Sensitive Data

Issue: Sensitive medical records were being exposed via reverse-engineered APK.
Impact: Potential leakage of personal health information (PHI).
Our Role: Applied ProGuard for code obfuscation, integrated tamper detection, and added encryption to local storage.
Outcome: App security was improved, preventing reverse-engineering attempts.

Financial App: Jailbreak Detection for Secure Transactions

Client: Digital Banking Application
Findings: The app failed to detect jailbroken devices, exposing users to risks.
Outcome: Implemented advanced root/jailbreak detection methods, ensuring only secure devices could access sensitive financial transactions.

10. SOP – Standard Operating Procedure

Scope Definition & App Discovery
Static Analysis of Source Code
Code Obfuscation & Runtime Protection Setup
Root/Jailbreak Detection Integration
Secure Communication & Data Encryption Testing
Tamper Prevention & Anti-Debugging Mechanisms
Reporting with Technical Findings & Risk Mapping
Developer Walkthrough or Advisory (Optional)
Revalidation Scan & Final Closure

11. Mobile App Hardening & Obfuscation Checklist

1. Static Code Analysis & Obfuscation

1.1 Source Code Review

Review source code for hardcoded sensitive information such as API keys, passwords, and encryption keys.
Ensure all API calls are secured using HTTPS (no hardcoded HTTP endpoints).
Check for insecure use of cryptographic functions (e.g., weak algorithms like MD5 or SHA1).
Identify and remove unnecessary permissions in the app manifest file.
Examine third-party libraries for known vulnerabilities or insecure configurations.
Inspect any external services or APIs for unencrypted communication.
Verify if proper error handling and input validation are implemented to prevent injection attacks (SQL, XML, etc.).

1.2 Code Obfuscation

Apply ProGuard/R8 for Android and iXGuard for iOS to obfuscate the app code and make reverse engineering difficult.
Ensure obfuscation rules are applied for sensitive classes, methods, and variables.
Configure ProGuard/R8 to remove unused code to reduce the attack surface.
Test the app post-obfuscation to verify that functionality is not broken.
Use advanced obfuscation techniques (e.g., string encryption, method renaming) to prevent reverse engineering.

1.3 Secure Storage

Ensure the app uses secure storage mechanisms like iOS Keychain or Android Keystore for storing sensitive data.
Avoid using less secure storage methods (e.g., SharedPreferences, SQLite databases) for sensitive information.
Implement encryption for any sensitive data stored locally (e.g., encrypted local databases).
Verify that encryption keys are not hardcoded and are managed by secure key management systems.

2. Dynamic Runtime Protection

2.1 Tamper Detection & Prevention

Integrate tamper detection mechanisms to prevent manipulation of app files, libraries, or resources.
Implement checksum or hash validation to detect modifications in the APK or IPA files.
Use runtime checks to detect if the app has been modified, and respond by shutting it down or becoming non-functional.
Test for jailbreak/root detection by detecting system-level modifications that could indicate a tampered device (e.g., Magisk on Android, Cydia on iOS).
Prevent reverse engineering by detecting debugging tools like Frida or Xposed, and block execution in such environments.

2.2 Anti-Debugging & Anti-Reverse Engineering

Implement anti-debugging techniques to make it difficult for attackers to debug the app (e.g., breakpoints, trace checking).
Detect and block reverse engineering tools like JD-GUI, JADX, and disassemblers by adding runtime checks.
Obfuscate stack traces and crash logs to prevent revealing sensitive internal information.
Disable debugging functions in production builds to prevent unauthorized access to app internals.

2.3 Root/Jailbreak Detection

Implement checks for root (Android) or jailbreak (iOS) status to prevent running the app on compromised devices.
Look for system modifications like su binaries on Android or the existence of Cydia on iOS devices.
Use additional techniques such as checking for unusual app permissions or access to system files typically found in rooted/jailbroken environments.
If root/jailbreak is detected, implement measures to prevent sensitive actions, such as disabling secure transactions or blocking certain features.
Prevent the app from running on emulator environments that can be used for testing vulnerabilities.

3. Secure Communication

3.1 Secure API Calls

Ensure all API communications use SSL/TLS with strong cipher suites (e.g., TLS 1.2 or higher).
Implement certificate pinning to prevent Man-in-the-Middle (MitM) attacks.
Test for improper SSL validation and ensure that only trusted certificates are accepted.
Make sure that sensitive information, such as login credentials and tokens, is transmitted over secure channels (e.g., HTTPS).
Verify that API responses do not contain sensitive information such as session tokens or passwords in URLs or headers.

3.2 Data in Transit Protection

Implement additional encryption layers for sensitive data being transmitted (e.g., encrypting request bodies, headers).
Validate that the app does not allow unencrypted communication with sensitive endpoints (e.g., login, payment).
Ensure the app can handle network attacks (e.g., SSL stripping) and fails securely.
Test the app’s resilience against MITM attacks by intercepting and modifying requests/responses.

3.3 WebView & JavaScript Security

Validate WebView components for potential security vulnerabilities, such as loading untrusted content or executing insecure JavaScript.
Ensure that WebViews are set to secure mode and only load trusted URLs (no open redirects).
Disable JavaScript execution in WebViews unless explicitly needed, and restrict access to app-native features via JavaScript.
Validate that sensitive data is not leaked through WebViews via insecure JavaScript or third-party scripts.

4. Obfuscation & Encryption for Sensitive Information

4.1 Sensitive Data Encryption

Use strong encryption algorithms (e.g., AES-256) for encrypting sensitive data stored locally.
Ensure encryption keys are managed securely and are not hardcoded within the app.
Avoid using weak algorithms (e.g., RSA without padding, MD5).
Encrypt sensitive data before writing to disk, and decrypt it only when required for use.

4.2 String Encryption

Encrypt all hardcoded strings, especially API keys, passwords, and other sensitive values.
Apply dynamic decryption of encrypted strings at runtime to prevent extraction from static analysis.
Use secure obfuscation and encryption techniques to make reverse-engineering of strings difficult.

5. API & Backend Security Testing

5.1 Unauthenticated API Endpoints

Test all app API endpoints for unauthenticated access to sensitive data or functions (e.g., account balance, user profile).
Ensure that all sensitive API requests are protected by strong authentication mechanisms (e.g., OAuth, JWT).
Verify that the app uses access control mechanisms to prevent unauthorized access to endpoints.

5.2 Function-Level Access Control

Test the app for function-level access control issues, where users can access or perform operations beyond their role (e.g., admin privileges for regular users).
Ensure that APIs are properly segmented to restrict unauthorized functions and data based on user roles.

6. Testing the App’s Security Resilience

6.1 Reverse Engineering and Debugging

Test app resilience against decompilation and reverse engineering tools like JADX, APKTool, and Frida.
Ensure that sensitive app logic is protected via code obfuscation and encryption.
Test that tampering with the app’s binary does not lead to bypassing security controls.

6.2 Data Leakage Prevention

Test for potential data leakage in log files, error messages, or debug output.
Ensure that sensitive information (e.g., passwords, tokens) is not exposed in plaintext within the app’s logs.
Test the app’s ability to handle error states without revealing sensitive data.

7. Reporting & Remediation

7.1 Vulnerability Reporting

Provide a detailed report of security issues discovered, with steps to reproduce and severity assessments.
Include specific recommendations for fixing issues, such as code snippets or configuration changes.
Include remediation suggestions related to encryption, authentication, and obfuscation for hardening the app.

7.2 Remediation Follow-up

Provide a follow-up consultation to walk through the remediation steps with the development team.
Ensure fixes are properly tested and retested to verify that the vulnerabilities have been resolved.
Provide guidance on maintaining ongoing app security through regular updates and testing.

Mobile App Hardening & Obfuscation