Obfuscapk v1.3 releases: A black-box obfuscation tool for Android apps

Obfuscapk

Obfuscapk – A black-box obfuscation tool for Android apps.

Obfuscapk is a modular Python tool for obfuscating Android apps without needing their source code, since apktool is used to decompile the original apk file and to build a new application, after applying some obfuscation techniques on the decompiled smali code, resources and manifest. The obfuscated app retains the same functionality as the original one, but the differences under the hood sometimes make the new application very different from the original (e.g., to signature-based antivirus software).

Architecture

Obfuscapk is designed to be modular and easy to extend, so it’s built using a plugin system. Consequently, every obfuscator is a plugin that inherits from an abstract base class and needs to implement the method obfuscate. When the tool starts processing a new Android application file, it creates an obfuscation object to store all the needed information (e.g., the location of the decompiled smali code) and the internal state of the operations (e.g., the list of already used obfuscators). Then the obfuscation object is passed, as a parameter to the obfuscate method, to all the active plugins/obfuscators (in sequence) to be processed and modified. The list and the order of the active plugins are specified through command-line options.

The tool is easily extensible with new obfuscators: it’s enough to add the source code implementing the obfuscation technique and the plugin metadata (a <obfuscator-name>.obfuscator file) in the src/obfuscapk/obfuscators directory (take a simple existing obfuscator like Nop as a starting example). The tool will detect automatically the new plugin, so no further configuration is needed (the new plugin will be treated like all the other plugins bundled with the tool).

Changelog v1.3

  • Drop support for Python 3.6 (end of life reached)
  • Add support for Python 3.9 and 3.10
  • Update dependencies
  • Fix obfuscation in res/xml folder by @kiber-io in #61
  • Use official VirusTotal API (d0f9e2b)
  • Add an option to ignore user defined packages by @Elyorbe in #65
  • Replace Jarsigner with Apksigner by @Dado1513 in #83
  • Add option to use aapt2 by @Dado1513 in #84
  • Fixes to ConstStringEncryption obfuscator by @techee in #96 and #98
  • Fixes to reflection obfuscators by @ardalanForoughipour in #102
  • Initial Android App Bundle support by @mirsamantajbakhsh in #121

Install & Use

Copyright (c) 2019 Simone Aonzo, Gabriel Claudiu Georgiu, Luca Verderame, Alessio Merlo