The popular commercial anti-piracy software developed by Guardsquare DexGuard recently had its source code leaked online, which could be a field day for Android pirates to take apart and decompile commercial Android apps, and possibly release “hacked” versions.
DexGuard essentially makes it difficult for Android hackers to take apart commercial apps by obfuscating some of the inner-working of the app, as well as protecting the app against reverse engineering attacks – which in turn prevents users from figuring out all of the apps secret functions. This is basically Android anti-piracy, as DexGuard makes it more difficult for attackers to bypass anti-piracy checks – but an older version of DexGuard’s source code leaked onto GitHub, and it has been confirmed to be the real deal as Guardsquare is filing a DMCA takedown request on the GitHub repo for copyright infringement.
“The listed folders (see below) contain an older version of our commercial obfuscation software (DexGuard) for Android applications. The folder is part of a larger code base that was stolen from one of our former customers.”
If you’ve never heard of DexGuard before this, you might have heard of an alternative known as ProGuard – whereas DexGuard is focused exclusively on Android apps, ProGuard is a generic Java obfuscator which is completely free and open source – ProGuard also works perfectly fine on Android apps.
It’s unknown what sort of fallout we’re going to see from DexGuard’s source being leaked as of right now – its definitely not going to disappear, as it popped up all over the internet in various places (although we won’t link to any of them, you can Google it for yourself). A likely scenario is that some folks will figure out which apps are using the older Guardsquare DexGuard source code and attempt to release “hacked” versions of these apps through third-party app repos.
Over 200 forked repos were discovered by Guardsquare containing the leaked source code at the time of their DMCA takedown on the original – however, this isn’t any reason for Android developers to start panicking. The Guardsquare source code may give attackers an idea of the internal workings of Guardsquare’s obfuscation methods and how it protects against decompiling and modifications to the app it is protecting, but its currently unknown how much of an advantage the source code is going to give to attackers.