Categories
Support Corner

Remove Log4J calls with DashO’s Method Call Removal

Reading Time: 3 minutes

As we all know Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer facing products and services. The discovery of the recent vulnerability in the Java logging package (CVE-2021-4428) This risk posed a severe threat to millions of consumer products from enterprise software to web applications. It presents risk of loss, or breach of personal information, financial loss and irreversible reputation harm. Currently, the FTC is taking action to require organizations to settle any associated risk caused by the known vulnerabilities. The FTC is now noted as using its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposures. 

A recent example of this negligence came on the back of a complaint in regards to Equifax’s failure to patch a known vulnerability which irreversibly exposed the personal identifiable information of 147 million consumers. This resulted in Equifax paying $700 million to settle the actions taken by the FTC and the consumer financial protection bureau. The risk for businesses is therefore clear, take actionable steps to remediate the vulnerability, or face litigation, breach risk and reputation damage.

In this guide, we will walk you through how you can use Method Call Removal to mitigate this vulnerability.

Method Call Removal

Method Call Removal has been available since our DashO 6.11 release.  It is mostly used for removing logging statements, but it can be used to strip any method calls we’d prefer not to have in our production release.  The only caveat is that the method definition must also be in DashO’s input.

Let’s assume Log4j is used for our application’s logging.  We might want to remove all log statements from production builds, then create special debug builds with logging enabled as needed.  Or, we might want to remove Info, Warn, and Debug messages, but retain Error or Fatal message in our production build.  This can be done using DashO’s Method Call Removal feature, without needing to adjust the Log4j configuration.

Please consider the following example:

This application logs informational messages when the app starts, and when it shuts down.  

The Log4J configuration has been organized into a global logging class:

In our DashO project, I’ll select the “LogInfo” method for method call removal:

Graphical user interface, text, application
Description automatically generated

After doing so, the application runs normally, but informational messages are no longer logged to console or written to log file.

After the app has been in production, I may need to create an obfuscated debug build for troubleshooting an issue with a specific client.  If so, I can run DashO without Method Call Removal to preserve logging calls in my debug build.

The above example can be downloaded here.


If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.


Categories
Press Releases

New Release: PreEmptive DashO 11.2.1

Reading Time: < 1 minute

Professional-grade Application protection With PreEmptive DashO

You asked, we delivered: Announcing a new minor release for PreEmptive DashO

Obfuscation is more than just renaming! PreEmptive DashO is a layered obfuscation approach to provide your Java, Kotlin & Android applications with the security protection you need.

In the latest update, our development team has rolled out some new enhancements, changes and bug fixes. What’s New?

Version 11.2.1 includes:

  • Enhancements
  • Validate the Modifiers input fields in the Config Editor for Include & Exclude rules
  • New option for Properties with filesystem path values that opens a system browse dialog
  • A new dropdown for Android mode projects allowing easy switching from configured build variants and their associated inputs in the Config Editor.
  • Changes
  • The Config Editor now opens the last project on startup by default
  • Bug Fixes
  • Fixed an issue where input Jars with the same name could overwrite each other, if “Merge Inputs” was unchecked.
  • Fixed an issue where the Config Editor allowed selection of some methods for Check injections in Android projects.

Ready to learn more about DashO? Request a quote: Request A Qoute

Categories
Press Releases

PreEmptive Product Updates

Reading Time: 3 minutes

We are pleased to announce the general availability of Dotfuscator 6.4, DashO 11.2 and JSDefender 2.4 for our customers.

PreEmptive has been hard at work on the latest releases of Dotfuscator, DashO, and JSDefender. The improvements are part of PreEmptive’s strategy to continuously support all products with regular updates and new features. Headlining some of the product updates are improvements to integration and usability, and bug fixes to help ensure we keep our customers happy!

Below are the highlights of each release with links to further information such as how to access the latest version, documentation, and changelogs. Free evaluations are always available for each product.

Dotfuscator 6.4

Dotfuscator Professional protects .NET applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates on the .NET Intermediate Language. Dotfuscator Professional supports .NET, including .NET Core, .NET 5, Xamarin, and Mono.

The Dotfuscator Professional 6.4.0 release improves the support for default interface implementations in .NET Core 3+. Dotfuscator can now protect applications that use .NET’s default interface implementation feature, without extra configuration steps which were required before.

Additionally, the tool now provides more granular control of managed resource renaming. Users can now disable automatic resource renaming, in cases where the application loads those resources manually from strings that cannot be statically analyzed.

This version enables authenticated proxies to communicate with the PreEmptive licensing servers, which is a requirement at many enterprise customers.

The Xamarin.Android Root Check is also updated to handle new versions of Android rooting tools. 

Product Links

DashO 11.2

DashO protects Java and Android applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates directly on compiled Java bytecode.

The DashO 11.2.0 release enables Include and Exclude rules to be configured via Java Annotations and Supertypes. Rules can now match classes based on the existence of methods or fields that match the criteria.
The New Project Wizard now includes settings for generating Entry Point rules based on Java annotation based criteria, including a special set of entry points for Hibernate/Java Persistence API.

Additionally, DashO now processes compiled bytecode from Java 16 (except for the record type and the Sealed Classes preview feature).

Also, Global Processing Excludes now allows for classes to never be updated by DashO.

Product Links

JSDefender 2.4

JSDefender protects JavaScript code from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, browser-based “Dev Tools” detection, and tamper detection. It integrates into the development build process and operates directly on JavaScript code. JSDefender also supports other languages that “transpile” to JavaScript, such as TypeScript. JSDefender can protect JavaScript running in the browser, on servers/workstations (e.g. NodeJS based applications), and on mobile devices (e.g. React Native applications).

The JSDefender 2.4.0 release brought several changes to the protection runtime which makes the protected code of our customers much harder to reverse-engineer.

Also, it extends the Control Flow transform with an option called “injectFakeCode” that injects fake test conditions to the control flow statements to mislead and confuse the attacker.

Additionally, the release fixes some bugs in the error script parsing of the runtime checks and in the Control Flow transform.

Product Links