SaFi Bank Space : Obfuscation and deobfuscation Flutter App

Created by Ropiudin, last modified on Nov 30, 2022

Code obfuscation is the process of modifying an app’s binary to make it harder for humans to understand. Obfuscation hides function and class names in your compiled Dart code, making it difficult for an attacker to reverse engineer your proprietary app.

Obfuscating your app

To obfuscate your app, build a release version using the --obfuscate flag, combined with the --split-debug-info flag. The --split-debug-info flag specifies the directory where Flutter can output debug files. This command generates a symbol map. The apk, appbundle, ipa, ios, and ios-framework targets are currently supported. (macos and aar are supported on the master and dev channels.) For example:

flutter build apk --obfuscate --split-debug-info=/<project-name>/<directory>

Once you’ve obfuscated your binary, save the symbols file. You need this if you later want to de-obfuscate a stack trace.

Note that the --split-debug-info flag can also be used by itself. In fact, it can dramatically reduce code size. For more information on app size, see Measuring your app’s size.

For detailed information on these flags, run the help command for your specific target, for example:

flutter build apk -h

If these flags are not listed in the output, run flutter --version to check your version of Flutter.

Reading an obfuscated stack trace

To debug a stack trace created by an obfuscated app, use the following steps to make it human readable:

  1. Find the matching symbols file. For example, a crash from an Android arm64 device would need app.android-arm64.symbols.

  2. Provide both the stack trace (stored in a file) and the symbols file to the flutter symbolize command. For example:

flutter symbolize -i <stack trace file> -d out/android/app.android-arm64.symbols

For more information on the symbolize command, run flutter symbolize -h.

Implement to SaFi Mobile App

we implemented it on safi-mobile-app-build-android-ci.yml for android : 

flutter build apk --release --build-name=$(echo $GITHUB_REF | sed -e "s#refs/tags/##g")  --build-number=$BUILD_NUMBER --obfuscate --split-debug-info=misc/mapping

it will generated 3 files symbols, on pipeline it will be saved to artifacts :

reference :

https://docs.flutter.dev/deployment/obfuscate

Attachments:

Screen Shot 2022-11-23 at 11.49.22.png (image/png)