What is "obfuscation"

Code obfuscation or code obfuscation is the name given to a deliberate attempt to make a programming code difficult for other people to understand. This is done by adding non-destructive and irrelevant code as code redundancies, using meaningless variable names, null result codes, among other techniques, producing a confusing and illegible code, but with the same functionality as an efficient version of the program. This avoids many of the basic code readability rules such as well-named variables, appropriate comments, and other features. In general, the obfuscation is done for several reasons : to hide the purpose of the code, to prevent possible changes (security by obscurity), to prevent the violation of reserved rights by means of alteration and copying, hinder Reverse Engineering or even as a means of fun and challenge to offer to those who read the source code. An example of typical usage is the obfuscation of Javascript code : as the language scripts run on the client side, the user has access to the source code to be executed. In this way, to avoid copying, the developer chooses to try to hide part of the code. Another common use of Code Obfuscation is its use for spreading malicious code that is imperceptible to the user.

Code obfuscation can be performed manually, but there are also computer programs that transform a common code into a code obfuscated through the use of convenient algorithms. In this sense, there are also programs called "desofuscadores" that implement a series of analyses and algorithms to remove irrelevant information from a code, bringing its more objective version. The main drawbacks of code obfuscation is that it does not make your code completely protected, as there is no technique that is impossible to break. Obfuscation of a code can make its compilation or execution more time-consuming than in a common code, and considerably increase its size. In addition, some anti-virus software may warn about a particular program that uses overshadowed code.

Many organizations may encourage the use of code obfuscation as a means of protecting their code from others' manipulation, especially when installing applications in the environment of another organization that hires its services. Some caution should be taken by software producers, since the technique can be used by some developers as a way to defraud an organization if the developer is somehow discarded. There are situations where developers deliberately hide bugs in the system that can be triggered when convenient to the developer. In this way, the standardization of the method as the software is built by all the developers of an organization, should have a greater emphasis. Already companies that hire software of third parties, should be careful as several software producers use code obfuscation to prevent the software is copied by the contracting company and the contractor subsequently disposes of the software producer. In such cases it is appropriate that an organisation which hires a software define whether it will have a right to access the source code of the contracted software: if yes, it must be established in an appropriate manner that the software will be made available in an amicable and readable form to the contractor.

Basic techniques for code obfuscation

Obfuscation techniques can be static or dynamic. Static changes can include changing the format of the program, changing the names of the variables and adding useless code, and these techniques are implemented in writing the source code. Dynamic techniques seek to change code during runtime.

Some basic code obfuscation techniques include:

  • Use variable names whose function is not easily perceived by someone else. Example: instead of using the name of summing up for a variable that will receive the result of a sum, you can use names such as v1, x, ghdjs or even subtraction.
  • Declare variables and constants that are not used during the program. If, for example, only two variables are used in the program, declaring two more can confuse the one who wants to analyze the source code.
  • In languages where there is no need to divide the code into different lines (such as C, Java, PHP and the like) all the code of a program can be done in the same line.
  • Insert self-sufficient code with null effect within normal programming. For example, a while that does not change important program variables or a function call that does not have internal functionalities.

Source: Revista Brasileira de WEB