Anti-Disassembly

Plan	Platforms	MASVS
Team	Android	MASVS-RESILIENCE-3

Overview

Anti-Disassembly injects specialized constructs into the compiled Android application that cause common reverse-engineering tools to fail, crash, or produce corrupted output when attempting to decompile the protected APK. This control significantly increases the difficulty and time required for attackers to analyze the application's code, protecting proprietary algorithms, business logic, and security mechanisms from rapid inspection.

The injected constructs are carefully designed to confuse decompilation tools while remaining completely benign at runtime. None of the anti-disassembly traps affect application behavior, performance, or compatibility — trap classes are never referenced by the app, and all modifications produce valid DEX bytecode that the Android Runtime (ART) processes normally.

This control is essential for applications containing valuable intellectual property, custom security implementations, or sensitive business logic that must be protected from automated reverse-engineering workflows.

How It Works

Anti-Disassembly operates during the Android build pipeline after the APK has been decompiled to smali bytecode but before it is reassembled. The control injects eight categories of trap constructs that exploit limitations and edge cases in popular decompilation tools:

Decompiler Confusion Techniques

The control injects synthetic smali classes into randomly-named packages that contain constructs specifically designed to trigger failures in decompilation tools:

Deeply Nested Structures — Creates annotation hierarchies and control-flow patterns with extreme nesting depths that overflow recursive parsers or exceed tool-specific limits, causing stack overflows or out-of-memory errors during disassembly.

Extreme Data Payloads — Generates methods with very large inline data sections (16 KB+ arrays, 32 KB+ string constants) that cause offset miscalculations in tools that assume typical payload sizes, producing unassemblable output with incorrect branch targets or label references.

Overlapping Control Flow — Creates methods with dozens of interleaved exception handlers whose protected ranges cross each other in valid but complex ways that confuse control-flow reconstruction algorithms, causing tools to error out or produce invalid code.

Edge-Case Constants — Uses extreme numeric values (e.g., Integer.MIN_VALUE, full 32-bit range spans) in switch statements that trigger arithmetic overflow in tools performing label offset calculations, resulting in corrupted jump tables.

Multi-DEX Trap Distribution — Injects trap classes into multiple DEX files when the APK uses multi-dex packaging, ensuring decompiler failures occur across all DEX components rather than only in the primary classes.dex.

File System Conflicts — On case-insensitive file systems (Windows, macOS default), creates resource entries whose names differ only in letter case, causing silent overwrites during decompilation that corrupt the extracted project structure.

Opaque Dead Code — Injects methods containing unreachable instruction sequences after unconditional branches, producing valid DEX bytecode that causes basic-block analysis failures in tools attempting to reconstruct clean control flow.

Format Edge Cases — Exploits corner cases in DEX format specifications (e.g., jumbo string instructions, wide array data, extreme annotation nesting) that are valid according to the DEX spec but rarely encountered in practice, exposing latent bugs in decompilation tool parsers.

Tools Affected

This control has been tested against and successfully disrupts the following popular reverse-engineering tools:

apktool — Fails during resource extraction, smali generation, or repackaging with errors about invalid offsets, corrupted resources, or unresolvable references
jadx — Crashes or hangs during decompilation, or produces incomplete/invalid Java source with syntax errors and missing classes
baksmali — Overflows call stacks during annotation parsing, produces smali files with incorrect label offsets, or fails to reconstruct valid control flow graphs
dex2jar — Generates corrupted JAR files with missing or malformed class files that cannot be opened by Java decompilers
JEB Decompiler — Encounters analysis errors or produces incomplete decompilation results for protected components

Runtime Behavior

Trap classes are never instantiated or referenced by the application at runtime. The Android Runtime (ART) loads and verifies only the classes that are actually used by the application. The anti-disassembly traps exist solely in the APK structure to confuse static analysis tools — they are ignored during normal execution.

All injected constructs produce valid DEX bytecode according to the Android specification. The traps do not violate Android's bytecode verifier rules, dex format constraints, or runtime expectations. The APK passes Google Play verification and installs normally on all Android devices.

Threats Mitigated

Rapid Reverse Engineering: Automated decompilation workflows that attackers use to quickly extract and analyze application source code are disrupted, forcing manual analysis that is significantly more time-consuming and error-prone
Intellectual Property Theft: Proprietary algorithms, custom cryptographic implementations, and unique business logic are protected from trivial extraction via decompilation tools
Vulnerability Discovery: Attackers scanning for security weaknesses (e.g., hardcoded credentials, weak crypto, logic flaws) using automated analysis pipelines encounter tool failures that slow reconnaissance
Code Cloning: Competitors or malicious actors attempting to replicate application functionality by decompiling and studying the code face substantial barriers to analysis
Bypass Development: Attackers developing patches or modifications to circumvent security controls (e.g., license checks, root detection) are hindered by the inability to cleanly decompile and modify the application

Use Cases

Financial Applications: Protect proprietary fraud detection algorithms, transaction processing logic, and risk scoring models from analysis by malicious actors
Gaming Applications: Shield anti-cheat mechanisms, in-app purchase validation, server authentication protocols, and game logic from cheaters and unauthorized client modifications
Enterprise Applications: Secure custom business logic, integration workflows, and proprietary data processing algorithms embedded in mobile clients
DRM & Content Protection: Protect digital rights management implementations, license validation schemes, and content decryption logic from reverse engineering
Security Products: Prevent analysis of detection algorithms, threat intelligence gathering methods, and security control implementations by adversaries attempting to develop evasion techniques

Caveats

Legitimate Analysis Tools Affected

Anti-Disassembly disrupts all decompilation tools that analyze the APK structure, including those used for legitimate purposes:

Security Audits: Penetration testers and security researchers performing authorized code reviews will encounter the same decompilation failures as attackers. If your organization requires third-party security audits of the compiled APK, you may need to provide an unprotected build or share source code directly.
Debugging & Troubleshooting: If you need to decompile a production build for post-release debugging (e.g., investigating a crash in obfuscated code), standard decompilation tools will not work. Maintain unprotected debug builds or source access for internal troubleshooting.
App Store Analysis: Some automated app store analysis services (e.g., third-party privacy scanners, SDK detection tools) may report incomplete results or errors when analyzing protected APKs, though this does not affect Google Play submission or approval.

Not a Complete Protection

Anti-Disassembly significantly raises the difficulty of reverse engineering but does not make it impossible:

Manual Analysis: Experienced reverse engineers can analyze the APK using low-level tools (e.g., hex editors, custom DEX parsers, Android Runtime debugging) that do not rely on automated decompilation workflows. This control increases analysis time from minutes to days/weeks, not infinity.
Dynamic Analysis: Anti-Disassembly only protects against static analysis. Runtime inspection and memory analysis require complementary runtime anti-tampering, debugger, and hook detection controls.
Tool Updates: Decompilation tool maintainers may patch vulnerabilities exploited by Anti-Disassembly in future releases. The control is regularly updated to address new tool versions and maintain effectiveness against the latest reverse-engineering utilities.

APK Size Increase

The injected trap constructs add approximately 200-500 KB to the APK size, depending on the number of DEX files and the distribution of traps. This increase is negligible for most applications but may be a consideration for size-sensitive deployments.

Support Matrix

Platform	Supported	Version	Notes
Android	✅ Yes	All	Applied during APK build pipeline
iOS	❌ No	N/A	Not applicable (different binary format)

How to Enable the Control

Navigate to Code Obfuscation from the AppTego portal, and expand the Control Flow Obfuscation section. Under this section you will find the Anti-Disassembly control. Click Enable to apply it to the next protected build.

API Configuration Example

Anti-Disassembly is a binary control with no configuration options. Include it in the controls array to enable:

{
  "controls": [
    {
      "title": "Anti-Disassembly",
      "value": "AntiDisassembly",
      "type": "binary"
    }
  ]
}

When enabled, the control automatically injects all trap categories during the Android build process. No additional configuration or integration is required.