Code defactoring: Evaluating the effectiveness of Java obfuscations

Abstract

Obfuscation is a very common protection against reverse engineering attacks: it modifies a program structure to make it harder for the adversary to analyse and understand it. Conceptually, obfuscation is the opposite of refactoring: the code should be more complex to understand, bloated, and with excessive characteristics from the design point of view. This paper aims at evaluating the code complexity introduced by different obfuscation algorithms by using software engineering metrics. Using structural metrics, this paper illustrates how the various types of obfuscation algorithms perform in terms of OO attributes that should be kept low in refactoring. Results show that the majority of the selected algorithms produce no changes in the structural attributes or the average complexity, but they produce more ''dead'' code. We argue that this could not represent the optimal way to protect the code: when protecting against reverse engineering attacks, a preference should be given to those algorithms that increase the complexity and alter the structural metrics. © 2012 IEEE.