This article explores in depth the anti-reverse engineering capabilities of Huawei's HarmonyOS 5 system, focusing on the Cangjie language's obfuscation and hardening techniques. The content is based on actual development practices and aims to serve as a resource for technical exchange.
I. Structural Obfuscation: Making Code “Unrecognizable”
In the HarmonyOS ecosystem, application security is paramount — like installing a smart fingerprint lock on your app logic. Structural obfuscation in Cangjie effectively disguises the architecture of your codebase.
1.1 Symbol Name Obfuscation in Action
Original code:
class PaymentService {
func verifyPassword(pwd: String) -> Bool {
// Verification logic
}
}
Obfuscated decompiled output:
class a {
func b(c: String) -> Bool {
// Same logic but unreadable
}
}
Key Transformations:
-
PaymentService➝a -
verifyPassword➝b - Parameter
pwd➝c - Debug line numbers removed or reset
1.2 HarmonyNext App Store Security Compliance
| Security Level | Obfuscation Requirements | Suitable Scenarios |
|---|---|---|
| Basic | Method name obfuscation only | Utility apps |
| Financial | Full symbol + control flow obfuscation | Payment, banking apps |
| Military | Custom obfuscation + hardware-level protection | Government/military apps |
✅ In one banking app, structural obfuscation extended reverse engineering time from 2 hours to over 3 weeks.
II. Data Obfuscation: Invisibility for Strings and Constants
Plaintext strings in code are like passwords on a sticky note — visible and risky. Cangjie’s data obfuscation is like a privacy glass: you can see from the inside, but not from the outside.
2.1 String Encryption Workflow
Original code:
let apiKey = "HARMONY-12345"
After compilation:
// .rodata section:
0x1234: [Encrypted binary sequence]
Decryption at runtime:
- Decrypts only on first access
- Keeps plaintext in-memory only
- Automatically cleared after process exit
2.2 Constant Obfuscation: Mathematical Cloaking
Original:
const FLAG = 0xDEADBEEF
Obfuscated:
const FLAG = (0x12345678 ^ 0xCCCCCCCC) + 0x24681357
🧠 In HarmonyNext DRM modules, this technique increased reverse difficulty by 10x for static analysis tools.
III. Control Flow Obfuscation: Creating Logical Labyrinths
Clear control flow is a reverser’s paradise — it shows exactly where things go. But what if that highway became Chongqing-style overpasses?
3.1 Example: Fake and Opaque Control Flows
Original logic:
func checkLicense() -> Bool {
return isValid
}
Obfuscated logic:
func checkLicense() -> Bool {
let a = (getRuntimeValue() & 1) == 0 // Opaque predicate
var b = false
if a { /* Never-executed code */ }
while (a) { /* Fake infinite loop */ }
// Real logic fragmented and non-linear
}
3.2 Balancing Security and Performance
HarmonyNext game engine internal test results:
| Obfuscation Level | Code Size Increase | Runtime Overhead | Reverse Engineering Time |
|---|---|---|---|
| None | 0% | 0% | 1 hour |
| Intermediate | +15% | +5% | 8 hours |
| Advanced | +40% | +12% | 3 days |
🔐 Military-grade strategy: Use high-intensity obfuscation on critical paths, and light/no obfuscation on peripheral logic to optimize build size and runtime.
Conclusion: Obfuscation is a Strategic Tool, Not a Silver Bullet
- Symbol obfuscation hides your API surface
- Data obfuscation protects secrets
- Control flow obfuscation hinders reverse tracing
However:
⚠️ Misusing obfuscation can backfire — increasing code complexity, bloating size, and hurting performance.
📏 Team Guidelines We Followed:
🔒 "Three Principles for Safe Obfuscation":
- No obfuscation without value
- No obfuscation without test coverage
- No obfuscation without documentation
Top comments (0)