I have heard that security through obscurity is bad.

That is so because an attacker of a crypto algorithm might eventually figure out the obscure algorithm. However, the obfuscations of White Hawk Software tools are parametrized and combined. It is not that each transformation cannot be cracked; it is the combination of transformations that makes it very difficult to crack the application. This does not match the description of security through obscurity which implies human made obscurity.