Introduction to Android String Obfuscation

In the realm of Android application security and reverse engineering, string obfuscation is a common technique employed by developers to protect sensitive information and hinder analysis. Malware authors and legitimate application developers alike use string obfuscation to hide API keys, server URLs, cryptographic keys, and other critical data from static analysis. For reverse engineers, understanding and overcoming these obfuscation techniques is paramount to gaining insights into an application’s true functionality.

This guide delves into the methodologies for deobfuscating strings in Android applications, focusing on runtime decryption techniques using dynamic analysis tools like Frida. We’ll explore why strings are obfuscated, common obfuscation patterns, and a practical, step-by-step approach to recovering plaintext strings.

Why Obfuscate Strings?

The primary motivations behind string obfuscation are to enhance security and increase the difficulty of reverse engineering:

• Preventing Static Analysis: Without deobfuscation, sensitive strings appear as meaningless byte arrays or encrypted blobs in the compiled code (DEX or native libraries), making it challenging for analysts to quickly identify interesting functionalities.
• Protecting Intellectual Property: Hiding internal logic, proprietary algorithms, and key data points.
• Evading Detection: Malware often obfuscates strings to bypass signature-based detection mechanisms that scan for known malicious patterns.
• Anti-Tampering: Making it harder for attackers to modify the application’s behavior by altering hardcoded values.

Common String Obfuscation Techniques

String obfuscation schemes can range from simple to highly complex. Some common techniques include:

• XOR/Addition/Subtraction: Simple bitwise operations combined with a static or dynamically generated key. Often combined with Base64 encoding.
• AES/DES Encryption: Using standard cryptographic algorithms with embedded keys or keys derived at runtime.
• Base64 Encoding: While not encryption, it’s often used as a first layer to obscure data, making it appear less like readable text.
• Dynamic String Generation: Strings are constructed at runtime from various parts, making it hard to piece them together statically.
• Native Code Decryption (JNI): Encrypted strings are stored in Java/Kotlin code, but the decryption routine resides in a native library (e.g., C/C++ via JNI), making static analysis more complex as it requires disassembling native code.

Methodology for Runtime Deobfuscation

The most effective way to recover obfuscated strings is through dynamic analysis, specifically by hooking the application’s execution at runtime. This approach allows us to observe the strings after they have been decrypted by the application’s legitimate decryption routines.

1. Static Analysis: Identifying Potential Decryption Routines

Before diving into dynamic analysis, a brief static scan can help narrow down the search. Use tools like Jadx, Ghidra, or Apktool to decompile the APK and look for:

• String Literals: Search for patterns of encrypted strings (e.g., long sequences of seemingly random characters, Base64-encoded strings).
• Crypto API Calls: Look for invocations of javax.crypto.Cipher, MessageDigest, or custom encryption classes.
• String Manipulation Methods: Methods like substring, charAt, toCharArray, or bitwise operations (`xor`, `shl`, `shr`) frequently precede or follow decryption logic.
• Method Names: Developers might use descriptive method names like decryptString, resolve, or getString.

Example Smali snippet of a method potentially returning an obfuscated string:

.method public static getString(I)Ljava/lang/String; .locals 2 const/4 v0, 0x0 new-array v0, v0, [Ljava/lang/Object; const-string v1, "a946b5a8c90b8f" # Obfuscated string (e.g., Base64 encoded XORed) invoke-static {v1, v0}, Lcom/example/app/obfuscator/Decryptor;->decrypt(Ljava/lang/String;[Ljava/lang/Object;)Ljava/lang/String; move-result-object v0 return-object v0 .end method

In this example, we’d target `Lcom/example/app/obfuscator/Decryptor;->decrypt`.

2. Dynamic Analysis with Frida: Hooking and Decryption

Frida is an excellent toolkit for dynamic instrumentation. It allows us to inject custom scripts into running processes and hook arbitrary functions, inspect arguments, and even modify return values. This is ideal for string deobfuscation.

a. Setup Frida

Ensure you have Frida installed on your host machine and Frida-server running on your Android device/emulator.

# On host machine pip install frida-tools # On Android device (rooted) adb push frida-server /data/local/tmp/ frida-server adb shell 'chmod 755 /data/local/tmp/frida-server' adb shell '/data/local/tmp/frida-server &'

b. Identifying the Target Method for Hooking

Based on your static analysis, you should have an idea of which method is responsible for decryption. If not, you might start with broader hooks:

• Hooking String Constructors: This is a very broad approach but can catch strings immediately after they are formed. However, it will generate a lot of noise.
• Hooking Common Crypto Methods: If you identified `Cipher.doFinal()` or `SecretKeySpec` being used.
• Hooking Specific Decryption Methods: The most precise approach, as identified in the static analysis phase (e.g., `Lcom/example/app/obfuscator/Decryptor;->decrypt`).

Let’s assume our static analysis pointed to `com.example.app.obfuscator.Decryptor.decrypt(java.lang.String, java.lang.Object[])` as the decryption routine.

c. Crafting the Frida Script

We’ll write a JavaScript file (e.g., `decrypt_hook.js`) to inject into the target application.

Java.perform(function() { console.log("[*] Starting string decryption hook..."); try { var Decryptor = Java.use('com.example.app.obfuscator.Decryptor'); Decryptor.decrypt.overload('java.lang.String', '[Ljava.lang.Object;').implementation = function(obfuscatedString, args) { console.log("[+] Decryption triggered!"); console.log("  Obfuscated String: " + obfuscatedString); // Call the original method to get the decrypted string var decryptedString = this.decrypt(obfuscatedString, args); console.log("  Decrypted String: " + decryptedString); return decryptedString; }; console.log("[*] Hooked com.example.app.obfuscator.Decryptor.decrypt successfully."); } catch (e) { console.error("[-] Error hooking Decryptor.decrypt: " + e.message); } // Example of a broader hook for String constructor if you can't find specific decrypt methods /* try { var String = Java.use('java.lang.String'); String.$init.overload('[B', 'java.lang.String').implementation = function(bytes, charsetName) { this.$init(bytes, charsetName); var decodedString = this.toString(); if (decodedString.length > 5 && decodedString.match(/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,}/) || // Look for emails decodedString.match(/http(s)?:///) || // Look for URLs decodedString.match(/^[0-9a-fA-F]{32}$/)) { // Look for potential MD5 hashes console.log("[+] New String constructed (Potential Sensitive Data): " + decodedString); } }; console.log("[*] Hooked String constructor for byte arrays."); } catch (e) { console.error("[-] Error hooking String constructor: " + e.message); } */ });

d. Running Frida with the Script

Identify the package name of your target application (e.g., `com.example.targetapp`).

frida -U -l decrypt_hook.js -f com.example.targetapp --no-pause

The `–no-pause` flag tells Frida to inject the script and immediately resume the application. As the app runs and invokes the `decrypt` method, you will see the obfuscated and decrypted strings printed to your console.

Example: Simple XOR Decryption

Consider an Android app with a simple XOR decryption method:

// Java/Kotlin code public class Decryptor { public static String decrypt(String encryptedText, String key) { StringBuilder decrypted = new StringBuilder(); for (int i = 0; i < encryptedText.length(); i++) { decrypted.append((char) (encryptedText.charAt(i) ^ key.charAt(i % key.length()))); } return decrypted.toString(); } } // Usage String obfuscated = "u001cu0001u000eu000fu0006u001au000fu0017u000b"; // 'secret_key' XORed with 'KEY' String decrypted = Decryptor.decrypt(obfuscated, "KEY");

To hook this, your Frida script would target `Decryptor.decrypt`:

Java.perform(function() { console.log("[*] Starting XOR decryption hook..."); try { var Decryptor = Java.use('com.example.app.Decryptor'); Decryptor.decrypt.overload('java.lang.String', 'java.lang.String').implementation = function(encryptedText, key) { console.log("[+] XOR Decryption triggered!"); console.log("  Encrypted Text: " + encryptedText); console.log("  Decryption Key: " + key); var decryptedString = this.decrypt(encryptedText, key); console.log("  Decrypted String: " + decryptedString); return decryptedString; }; console.log("[*] Hooked com.example.app.Decryptor.decrypt successfully."); } catch (e) { console.error("[-] Error hooking Decryptor.decrypt: " + e.message); } });

When the app executes `Decryptor.decrypt(obfuscated, “KEY”)`, the Frida script will log: `Decrypted String: secret_key`.

Conclusion

Runtime string deobfuscation is an indispensable technique for Android reverse engineers. While static analysis provides initial clues, dynamic analysis with tools like Frida offers the most reliable way to recover plaintext strings by observing them after the application’s own decryption routines have processed them. By systematically identifying decryption routines and applying targeted hooks, reverse engineers can effectively bypass most string obfuscation schemes, gaining critical insights into an application’s hidden functionalities and sensitive data.