Head-to-head dossier
DexGuard alternative: morgana vs DexGuard (Guardsquare)
DexGuard, from Guardsquare, is a mature and capable code-obfuscation and RASP product, and for opportunistic attackers it does its job well. If you are weighing it against an AI-assisted adversary, the question is no longer how well your code is hidden, but whether hiding code still works at all.
Why teams evaluate morgana instead of DexGuard
DexGuard, from Guardsquare, is the obfuscation incumbent: identifier renaming, string and resource encryption, control-flow transformation, and runtime self-protection (RASP) checks such as root, hook, and tamper detection. It is mature, well-supported, and integrates directly into Android and iOS builds. For many teams it has been the default for years, and it does its job well.
The reason teams are now looking for an alternative is not execution; it is the threat model. Obfuscation is a bet that the attacker is slower than your release cycle. That bet held when reverse engineering meant a human with a disassembler. It holds far less well when an attacker can point a capable language model at your binary and ask it to rename, explain, and summarise the logic in minutes.
The category argument: you can’t obfuscate away mathematics
morgana takes a different position. Instead of hiding logic, it binds your app’s secrets to its integrity. The keys that decrypt data and unlock functionality are derived from a measurement of the running application. If the app is unmodified, the correct key is derived and real data flows. If an attacker patches the binary, including to strip or bypass protection, the input to that derivation changes, a different key comes out, and the app quietly serves decoy data.
There is no checkpoint to find and no crash to patch around. An automated attacker that tampers and re-runs sees something that looks like success, which is the worst possible outcome for them: they cannot tell that they are looking at poison.
Where DexGuard is strong
It would be dishonest to pretend obfuscation has no value. DexGuard raises the cost of casual inspection, frustrates copy-paste cloning, and its RASP layer catches unsophisticated tampering and emulators. If your threat model is opportunistic attackers and you want a well-trodden, build-time-only integration on a broad range of Android and iOS targets, DexGuard is a reasonable, proven choice.
When DexGuard is the right call, and when morgana is
Choose DexGuard if your goal is to add friction against low-effort analysis and you are comfortable with a defence whose strength is proportional to how slow the attacker is. Choose morgana if your concern is a capable, possibly AI-assisted adversary who will get into the binary, and you want what they extract to be worthless rather than merely expensive to obtain.
The verdict
DexGuard vs morgana, line by line
| DexGuard | morgana | |
|---|---|---|
| Defends by | Obfuscating code and adding runtime checks | Deriving the wrong key when the app is tampered with |
| Holds up against AI | Weakening: LLMs increasingly deobfuscate and summarise code | Yes, there is no logic to hook; integrity feeds key derivation |
| What the attacker gets | Readable code, eventually, plus checks to patch out | Convincing poison data and no signal that anything failed |
| False positives | Tamper/root checks can misfire on legitimate devices | None; there are no detections to tune |
| Integration | Gradle/build-time integration, mature Android + iOS tooling | Build-pipeline integration; protects data + keys, not just code |
Questions
Frequently asked
Is DexGuard a good app protection tool?
Yes. DexGuard is a mature, widely deployed product with strong name-and-string obfuscation, resource encryption, and runtime checks, and it integrates cleanly into Android and iOS builds. The question is no longer whether obfuscation is well-executed, but whether hiding code is still an effective strategy when AI can read it.
Can morgana and DexGuard be used together?
They can. Obfuscation raises the cost of casual inspection while morgana removes the payoff of full reverse engineering. But teams adopting morgana often find they no longer need to invest in heavy obfuscation, because there is no longer a secret in the code to hide.
Does obfuscation stop AI-assisted reverse engineering?
It slows it down. Obfuscation is a time-and-effort barrier, and large language models are collapsing that barrier. Renaming, control-flow, and string transforms are exactly the patterns models are good at unwinding. morgana does not rely on the attacker being slow.
See it for yourself
Run your real threat model against both.
Most teams decide after the live demo: we point modern offensive tooling at your current protection, then at morgana, and let the result speak.
Request a live demo