De-obfuscating Android Scan Results Using A Mapping File

Owned by Roy Racho (Unlicensed)
Last updated: Aug 16, 2022 by B.J. Orvis

Data Theorem currently supports de-obfuscating Android pre-prod apps scan results which have been obfuscated using the proguard tool. De-obfuscation is done via the retrace tool which requires the use of a corresponding mapping file for each uploaded build that requires de-obfuscation.

 

Obfuscated classnames are currently presented in the Data Theorem portal as follows:

 

Obfuscated class: a.a.g.a when connecting to tcp://foo.bar.com:8445/

 

De-obfuscation enables mapping of the obfuscated classname a.a.g.a to the original classname such as com.foo.bar.

Instructions

In order to enable de-obfuscation of Android pre-prod app scan results, the following steps are necessary.

  1. CI/CD should be enabled for your Android pre-prod build.

  2. As part of the upload step, a mapping file should be included while uploading the app binary. This mapping file should be the same mapping file that was generated while building the apk binary in Android Studio. The location of the generated mapping file depends on your proguard settings in your Android project. The mapping file should be included as a sourcemap option in your CI/CD upload step as follows:

    $ curl \ -F "file=@androidapp.apk" \ -F "sourcemap=@mapping.txt" \ -F "release_type=PRE_PROD" \ https://prod-dopinder-v2.securetheorem.com/_ah/upload/Aewsadw[...]/

     

  3. Once a mapping file has been uploaded for a specific pre-prod app, all subsequent uploads will require a corresponding mapping file for scans to be completed. The mapping file requirement can be disabled by making a PATCH request with the requested setting as the body of the request to the Mobile Apps endpoint in the Results API v2 to disable it as follows:

    # Replace :mobile_app_id with the mobile app's ID from the portal or the Results API curl \ --request PATCH \ -H "Authorization: APIKey ..." \ --data '{"scans_require_mapping_file": false}' \ https://api.securetheorem.com/apis/mobile_security/results/v2/mobile_apps/:mobile_app_id

    If you are running the above curl request on a Windows machine CLI, you would need to escape the quotes for the request body in order for the api call to succeed. For example:

  4. If there are no issues with the validation of the uploaded build and mapping file, the de-obfuscated scan results will show up in the portal. If there are any issues with the de-obfuscation, please reach out to support@datatheorem.com.

 

Uploading a mapping file without a corresponding app build

In some cases such as releasing a prod app to Google Play, app scans are performed using the app build from Google Play. The implication is that the app is scanned without a mapping file and consequently the scans will not be de-obfuscated.

In order for prod apps to be de-obfuscated during scans, the corresponding mapping file for the prod app needs to be provided prior to the scan or release of the app into Google Play. The following steps can be performed to provide a mapping file without the corresponding build for both prod and pre-prod apps.

Step 1

Initialize the mapping file upload request using a POST request to the mapping file endpoint below.

This would require your team’s Upload API key from the Data Theorem portal and used as follows:

Request

 

Response

 

Step 2

The response contains an upload URL that’s valid for 10 minutes. The following fields have to be specified while uploading the mapping file for the prod app in Google Play in order to properly correlate it with the build that would be scanned from Google Play:

  • bundle_id - The bundle id for the app that the mapping file will be used for.

  • release_type - The release type for the app for which the mapping file relates to. The options are:

    • APP_STORE

    • PRE_PROD

  • version - The version of the app that’s in Google Play which will be scanned.

  • release_id (optional)

    • The release id of the app that makes it into Google Play. This field is optional as different teams may use it interchangeably with the version.

Using the upload_url from the response in Step 1, perform the following request to upload the mapping file:

Request

Please note that this will mark the app as requiring a mapping file for all subsequent scans to be completed. This option can be disabled in order for normal scans to proceed without requiring a mapping file.