Why your software needs obfuscation
Here we explore a subject that is usually of utmost importance to a company’s competitive position in the software marketplace, yet is untaught by most accredited computer science programs. Consequently, this subject sits at the periphery of most software developers’ minds, if it sits in their minds at all. This subject concerns the protection of proprietary algorithms and information contained within software applications. Or more notably, the lack of protection.
Most programmers are taught that software applications are compiled from a high-level programming language to binary “machine-readable” executable code. The false implication is that because the code is now “machine-readable,” it is no longer possible for anyone to read or understand. However, just as high level programming language code can be translated to machine-specific assembly instructions, the process can also be reversed. In most cases, executable code can be translated at least back to assembly code —if not all the way back to some high-level language. Decompilation of programs written in certain languages such as Java and the .NET languages is particularly effortless: with these languages, the executable can be easily transformed back to its precise original source code form.
A 10 minute demonstration is usually all it takes to convince company leaders that, when dropped into the wrong hands, secrets contained within the software they sell on the open market can be stolen rather easily, often using free tools. While sophisticated reverse engineering software exist on the market, many other very effective tools are completely free and can even be found right in a typical programmer’s suite of utilities. To make matters worse, reverse engineering software can be a legally-protected activity in many cases.
Therefore, if you aren’t comfortable effectively sharing your entire codebase with the world, preventive measures must be taken. This is where a technique called obfuscation comes in.
Obfuscation is a process whereby executable software is transformed into a cryptic, confusing sequences of machine-readable instructions that still result in the same overall software behavior but are very tricky for humans to understand once reverse engineered. Obfuscation generally takes place after the software application has already been built.
Like anything else, both good and bad obfuscation tools exist. Better tools use more sophisticated techniques which are less likely to be identified as fast. Once a particular obfuscation technique has been identified, it quickly becomes ineffective as the technique becomes widely known. Therefore, we generally recommend that our clients use obfuscation tools which are produced, validated, and regularly updated by reputable companies.
It is important to understand that no matter how sophisticated the obfuscation tools employed, it is always possible to undo obfuscation. The main difference is that obfuscated software deters the public from viewing your proprietary algorithms, whereas non-obfuscated software is virtually an open invitation.
Prolifogy associates are industry-leading Ph.D. experts and researchers. They are available for consultation on a range of advanced software matters, including obfuscation. To see what we can do for your organization, call us at 855-776-5436 or contact us through our web site.