保護DataHogo
Security Encyclopedia/OWASP Mobile Top 10
lowCWE-693M7:2024

Insufficient Binary Protections

Mobile app lacks code obfuscation, anti-tampering, or anti-debugging protections — making it easy to reverse engineer, modify, and redistribute.

How It Works

Without binary protections, attackers can easily reverse engineer your mobile app. They can decompile the code to find hardcoded secrets, understand business logic, find vulnerabilities, bypass license checks, or create modified versions. While obfuscation doesn't prevent determined attackers, it significantly raises the bar. React Native apps are especially vulnerable since JavaScript bundles are readable text by default.

Vulnerable Code
// React Native — no obfuscation configured
// metro.config.js
module.exports = {
  transformer: {
    // Default config, JS bundle is readable
  }
};
Secure Code
// metro.config.js with obfuscation
module.exports = {
  transformer: {
    minifierConfig: {
      mangle: true,
      compress: { drop_console: true }
    }
  }
};
// Also: use react-native-obfuscating-transformer

Real-World Example

In 2015, attackers reverse-engineered the Starbucks mobile app, finding that it stored usernames and passwords in cleartext. This led to account hijacking and unauthorized gift card purchases worth millions of dollars.

How to Prevent It

  • Enable code obfuscation (ProGuard for Android, Bitcode for iOS)
  • Use anti-tampering detection to catch modified binaries
  • Strip debug symbols from release builds
  • Consider solutions like DexGuard or iXGuard for sensitive apps

Affected Technologies

MobileReact NativeFlutter

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Improper Credential Usage

critical

Hardcoded API keys, passwords, or tokens directly in mobile app source code — easily extracted by decompiling the app bundle.

CWE-798M1:2024

Mobile Supply Chain Security

medium

Vulnerable SDKs, outdated native libraries, or compromised third-party modules in your mobile app introduce security risks from your dependencies.

CWE-1395M2:2024

Insecure Authentication/Authorization

high

Mobile apps with weak authentication — storing sessions insecurely, missing token refresh, or authorization checks only on the client side.

CWE-287M3:2024

Insufficient Input/Output Validation

medium

Mobile apps that don't validate user input or sanitize output are vulnerable to injection attacks, data corruption, and unexpected behavior.

CWE-20M4:2024