How to ensure mobile security SDK when transferring to third parties?

There is a challenge to provide partners with an SDK for mobile development. But I would not like to see the source code of the SDK was available, i.e. it is necessary to give blackbox c documentation.

Please share the experience of implementation, pros and cons of this approach.

It is logical to use the obfuscation code, but is it possible to give the SDK in assembled format and not in the source code, even obfuscated?
September 18th 19 at 23:40
1 answer
September 18th 19 at 23:42
What is written in SDK? Generally can build it into a library target platforms (jar for Android, for example) and to pay for it. The possibility of reverse engineering will still be, but strictly speaking it is always there.
The SDK will be for both Android and iOS, but can be a challenge on Android.
I understand that decompilation and deobfuscation possible, the goal is to raise the bar of entry of crackers.

Ie you can build the library in the JAR, pre-obfuscates... And can it even lock, so that it is initialized only by key?

PS I am not a coder, just doing IB. - Simeon.Cremin43 commented on September 18th 19 at 23:45
You need to collect the SDK to the library. Android - jar. For IOS I do not know, but what there is there - 100%. You can of course obfuscate your code, for God's sake. But lock - this is the internal implementation as you do - so be it. Even with the server he talks and asks the key, though simple string cryptography checks. But this is your internal mechanism, and all. And of course when decompiling this code, the attacker can cut out and use without a key. - Ana.Hagenes18 commented on September 18th 19 at 23:48
considering that in Studio, IntelliJ (and Android Studio) quite a working built-in Decompiler either obfuscation give a library in native code + wrapper - reversity native code in C++ is still more complicated than deobfuscate java code. in relation to iOS: if possible - NOT to give the version of the library for the simulator (since this library is so overvalued) because it is x86 and get HexRays x86 is easier than for ARM.
Of course it can be done if the library itself has some value, if it's just a server wrapper API that prevents stupid users to capture network traffic and to write the equivalent client library (SSL pinning in this case is unlikely to save you) - Madyson.Stiedemann commented on September 18th 19 at 23:51

Find more questions by tags Information securityMobile development