ProGuard is supposedly the top obfuscator for APK format and even they are defeated on a daily bases..Fred wrote:Even JAVA apk can be easily decompiled and snooped around. When optimized, a Spider app is hard to read and follow. You can still apply some JS obfuscator if you want to protect it a bit, but client side apps will never really be protected.
With JS obfuscation you can usually just run it through a beautifier and at worse rename functions and rebuild strings. You'll never see anything like a VM(what makes protectors like SecuROM and Denuvo so strong for the most part) language used in a JS obfuscator. At worse a lot of "junk" code that proxies original functions.
Something better: Put a vital part in another apk and run it through the Android Intent API but have the download behind a server authentication. Add some checks under obfuscation on the streamed apk to make defeat more expensive. Maybe make the streamed apk a service that communicates with the potentially compromised APK through the the service API that lets sandboxes access each other.
All it takes is one skilled person though they could easily rebuild a single APK with the streamed APK loaded from inline resource and all checks patched etc..