Resiliency / Obfuscated Methods

Description

Obfuscated methods is a type of resiliency vulnerability that occurs in mobile applications. It is defined in the CWE directory (CWE-600) as, “The software uses obfuscated methods to protect its code, data, or resources, but the obfuscation is not strong enough to prevent the code, data, or resources from being reverse-engineered.” This vulnerability is a risk because it allows a malicious actor to reverse engineer the code and gain access to sensitive information.

Risk

The risk of an obfuscated methods vulnerability is high because it allows a malicious attacker to gain access to sensitive information. Depending on the security posture of the application, the attacker may be able to access sensitive user data, passwords, financial information, or other confidential data. This data can then be used to gain access to other systems or to launch attacks on other systems.

Solution

The best way to mitigate the risks associated with obfuscated methods vulnerabilities is to use code-obfuscation techniques to make it difficult for malicious actors to reverse engineer the code. Additionally, code-signing techniques can be used to detect any changes made to the code and prevent any malicious code from being deployed.

Example

In the CVE directory, CVE-2019-14286 is an example of an obfuscated methods vulnerability. This vulnerability allowed a malicious actor to gain access to an application's internal methods by reverse engineering the code.