Pei Wang,Qinkun Bao,Li Wang,Shuai Wang,Zhaofeng Chen,Tao Wei,Dinghao Wu

2018-01-01

Abstract:The prosperity of smartphone markets has raised new concerns about software security on mobile platforms, leading to a growing demand for effective software obfuscation techniques. Due to various differences between the mobile and desktop ecosystems, obfuscation faces both technical and non-technical challenges when applied to mobile software. Although there have been quite a few software security solution providers launching their mobile app obfuscation services, it is yet unclear how real-world mobile developers perform obfuscation as part of their software engineering practices. Our research takes a first step to systematically studying the deployment of software obfuscation techniques in mobile software development. With the help of an automated but coarse-grained method, we computed the likelihood of an app being obfuscated for over a million app samples crawled from Apple App Store. We then inspected the top 6600 instances and managed to identify 601 obfuscated versions of 539 iOS apps. By analyzing this sample set with extensive manual effort, we made various observations that reveal the status quo of mobile obfuscation in the real world, providing insights into understanding and improving the situation of software protection on mobile platforms.

Pei Wang,Qinkun Bao,Li Wang,Shuai Wang,Zhaofeng Chen,Tao Wei,Dinghao Wu

DOI: https://doi.org/10.1145/3180155.3180169

2018-01-01

Abstract:The prosperity of smartphone markets has raised new concerns about software security on mobile platforms, leading to a growing demand for effective software obfuscation techniques. Due to various differences between the mobile and desktop ecosystems, obfuscation faces both technical and non-technical challenges when applied to mobile software. Although there have been quite a few software security solution providers launching their mobile app obfuscation services, it is yet unclear how real-world mobile developers perform obfuscation as part of their software engineering practices. Our research takes a first step to systematically studying the deployment of software obfuscation techniques in mobile software development. With the help of an automated but coarse-grained method, we computed the likelihood of an app being obfuscated for over a million app samples crawled from Apple App Store. We then inspected the top 6600 instances and managed to identify 601 obfuscated versions of 539 iOS apps. By analyzing this sample set with extensive manual effort, we made various observations that reveal the status quo of mobile obfuscation in the real world, providing insights into understanding and improving the situation of software protection on mobile platforms.

Pei Wang,Dinghao Wu,Zhaofeng Chen,Tao Wei

DOI: https://doi.org/10.1145/3183519.3183524

2018-01-01

Abstract:In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now fairly common that a mobile app serves a large number of users across the globe. Different from web-based services whose important program logic is mostly placed on remote servers, many mobile apps require complicated client-side code to perform tasks that are critical to the businesses. The code of mobile apps can be easily accessed by any party after the software is installed on a rooted or jailbroken device. By examining the code, skilled reverse engineers can learn various knowledge about the design and implementation of an app. Real-world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app-provided services for unrightful profits, leading to significant financial losses for app vendors. One of the most viable mitigations against malicious reverse engineering is to obfuscate the software before release. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. Our report can benefit many stakeholders in the iOS ecosystem, including developers, security service providers, and Apple as the administrator of the ecosystem.

Shouki A. Ebad,Abdulbasit A. Darem

DOI: https://doi.org/10.3390/electronics13122272

IF: 2.9

2024-06-11

Electronics

Abstract:Researchers have proposed different obfuscation transformations supported by numerous smartphone protection tools (obfuscators and deobfuscators). However, there is a need for a comprehensive study to empirically characterize these tools that belong to different categories of transformations. We propose a property-based framework to systematically classify twenty cutting-edge tools according to their features, analysis type, programming language support, licensing, applied obfuscation transformations, and general technical drawbacks. Our analysis predominantly reveals that very few tools work at the dynamic level, and most tools (which are static-based) work for Java or Java-based ecosystems (e.g., Android). The findings also show that the widespread adoption of renaming transformations is followed by formatting and code injection. In addition, this paper pinpoints the technical shortcomings of each tool; some of these drawbacks are common in static-based analyzers (e.g., resource consumption), and other drawbacks have negative effects on the experiment conducted by students (e.g., a third-party library involved). According to these critical limitations, we provide some timely recommendations for further research. This study can assist not only Android developers and researchers to improve the overall health of their apps but also the managers of computer science and cybersecurity academic programs to embed suitable obfuscation tools in their curricula.

engineering, electrical & electronic,physics, applied,computer science, information systems

Lei Xue,Yuxiao Yan,Luyi Yan,Muhui Jiang,Xiapu Luo,Dinghao Wu,Yajin Zhou

DOI: https://doi.org/10.1145/3460319.3464839

2021-01-01

Abstract:Android packers have been widely adopted by developers to protect apps from being plagiarized. Meanwhile, various unpacking tools unpack the apps through direct memory dumping. To defend against these off-the-shelf unpacking tools, packers start to adopt virtual machine (VM) based protection techniques, which replace the original Dalvik bytecode (DCode) with customized bytecode (PCode) in memory. This defeats the unpackers using memory dumping mechanisms. However, little is known about whether such packers can provide enough protection to Android apps. In this paper, we aim to shed light on these questions and take the first step towards demystifying the protections provided to the apps by the VM-based packers. We proposed novel program analysis techniques to investigate existing commercial VM-based packers including a learning phase and a deobfuscation phase.We aim at deobfuscating the VM-protection DCode in three scenarios, recovering original DCode or its semantics with training apps, and restoring the semantics without training apps. We also develop a prototype named Parema to automate much work of the deobfuscation procedure. By applying it to the online VM-based Android packers, we reveal that all evaluated packers do not provide adequate protection and could be compromised.

Pei Wang,Dinghao Wu,Zhaofeng Chen,Tao Wei

DOI: https://doi.org/10.1002/spe.2648

2019-01-01

Abstract:In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now common that a mobile app serves millions of users across the globe. By examining the code of these apps, reverse engineers can learn various knowledge about the design and implementation of the apps. Real-world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app-provided services for unrightful profits, leading to significant financial losses. One of the most viable mitigations against malicious reverse engineering is to obfuscate the apps. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. We especially focus on factors that are unique to mobile software development that may affect the design and deployment of obfuscation techniques. We report the outcome of our obfuscation with empirical experiments. We additionally elaborate on the follow-up case studies about how our obfuscation affected the app publication process and how we responded to the negative impacts. This experience report can benefit mobile developers, security service providers, and Apple as the administrator of the iOS ecosystem.

Parvez Faruki,Hossein Fereidooni,Vijay Laxmi,Mauro Conti,Manoj Gaur

DOI: https://doi.org/10.48550/arXiv.1611.10231

2016-11-30

Abstract:Mobile devices have become ubiquitous due to centralization of private user information, contacts, messages and multiple sensors. Google Android, an open-source mobile Operating System (OS), is currently the market leader. Android popularity has motivated the malware authors to employ set of cyber attacks leveraging code obfuscation techniques. Obfuscation is an action that modifies an application (app) code, preserving the original semantics and functionality to evade anti-malware. Code obfuscation is a contentious issue. Theoretical code analysis techniques indicate that, attaining a verifiable and secure obfuscation is impossible. However, obfuscation tools and techniques are popular both among malware developers (to evade anti-malware) and commercial software developers (protect intellectual rights). We conducted a survey to uncover answers to concrete and relevant questions concerning Android code obfuscation and protection techniques. The purpose of this paper is to review code obfuscation and code protection practices, and evaluate efficacy of existing code de-obfuscation tools. In particular, we discuss Android code obfuscation methods, custom app protection techniques, and various de-obfuscation methods. Furthermore, we review and analyse the obfuscation techniques used by malware authors to evade analysis efforts. We believe that, there is a need to investigate efficiency of the defense techniques used for code protection. This survey would be beneficial to the researchers and practitioners, to understand obfuscation and de-obfuscation techniques to propose novel solutions on Android.

Cryptography and Security

Weiping WEN,Han ZHANG,Xianglei CAO

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.05.011

2016-01-01

Abstract:With the rapid development of mobile intelligent terminals, Android operating system has become one of the most widely used mobile intelligent operating systems in the world. Java is famous for its features of good cross-platform, high efficiency and a large amount of developers, therefore the designers of Android choose Java as the system development language. The characteristics of the Java language make Java program easy be decompiled by decompilation tools and be analyzed, which makes Android applications face great risks. This paper focuses on the study of code obfuscation technology for the purpose of protecting Android applications, improving the dififculty of the attacker's reverse analysis and adding no extra time cost for the execution of the program. Based on Android executable ifle reorganization, this paper designs and implements a kind of Android obfuscation tool and carries out test and performances analysis. This Android obfuscation tool enhances the security of Android applications, protects Android applications developers' intellectual property rights, and avoids reverse analysis, piracy and malicious tampering to Android applications to a certain extent.

LIU Hui-ming,ZHUGE Jian-wei

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2016.10.013

2016-01-01

Abstract:We propose an alternative way and implement the demo system that translates the key code into native code and obfuscates it automatically.The resulting obfuscated code is immune to existing automatic reverse techniques.Our evaluation shows that this system is of both high harden strength and good compatibility,and it will be an effective protector for millions of apps’developers and users.

Cong Zheng,Shixiong Zhu,Shuaifu Dai,Guofei Gu,Xiaorui Gong,Xinhui Han,Wei Zou

DOI: https://doi.org/10.1145/2381934.2381950

2012-01-01

Abstract:ABSTRACTUser interface (UI) interactions are essential to Android applications, as many Activities require UI interactions to be triggered. This kind of UI interactions could also help malicious apps to hide their sensitive behaviors (e.g., sending SMS or getting the user's device ID) from being detected by dynamic analysis tools such as TaintDroid, because simply running the app, but without proper UI interactions, will not lead to the exposure of sensitive behaviors. In this paper we focus on the challenging task of triggering a certain behavior through automated UI interactions. In particular, we propose a hybrid static and dynamic analysis method to reveal UI-based trigger conditions in Android applications. Our method first uses static analysis to extract expected activity switch paths by analyzing both Activity and Function Call Graphs, and then uses dynamic analysis to traverse each UI elements and explore the UI interaction paths towards the sensitive APIs. We implement a prototype system SmartDroid and show that it can automatically and efficiently detect the UI-based trigger conditions required to expose the sensitive behavior of several Android malwares, which otherwise cannot be detected with existing techniques such as TaintDroid.

Umair Nawaz,Muhammad Aleem,Jerry Chun-Wei Lin

DOI: https://doi.org/10.7717/peerj-cs.1002

2022-06-21

PeerJ Computer Science

Abstract:The Android mobile platform is the most popular and dominates the cell phone market. With the increasing use of Android, malware developers have become active in circumventing security measures by using various obfuscation techniques. The obfuscation techniques are used to hide the malicious code in the Android applications to evade detection by anti-malware tools. Some attackers use the obfuscation techniques in isolation, while some attackers use a mixed approach (i.e., employing multiple obfuscation techniques simultaneously). Therefore, it is crucial to analyze the impact of the different obfuscation techniques, both when they are used in isolation and when they are combined as hybrid techniques. Several studies have suggested that the obfuscation techniques may be more effective when used in a mixed pattern. However, in most of the related works, the obfuscation techniques used for analysis are either based on individual or a combination of primitive obfuscation techniques. In this work, we provide a comprehensive evaluation of anti-malware tools to gauge the impact of complex hybrid code-obfuscations techniques on malware detection capabilities of the prominent anti-malware tools. The evaluation results show that the inter-category-wise hybridized code obfuscation results in more evasion as compared to the individual or simple hybridized code obfuscations (using multiple and similar code obfuscations) which most of the existing related work employed for the evaluation. Obfuscation techniques significantly impact the detection rate of any anti-malware tool. The remarkable result i.e., almost 100% best detection rate is observed for the seven out of 10 tools when analyzed using the individual obfuscation techniques, four out of 10 tools on category-wise obfuscation, and not a single anti-malware tool attained full detection (i.e., 100%) for inter-category obfuscations.

computer science, information systems, artificial intelligence, theory & methods

Hao Zhou,Shuohan Wu,Chenxiong Qian,Xiapu Luo,Haipeng Cai,Chao Zhang

DOI: https://doi.org/10.14722/ndss.2024.24035

2024-01-01

Abstract:Overlay is a notable user interface feature in the Android system, which allows an app to draw over other apps' windows.While overlay enhances user experience and allows concurrent app interaction, it has been extensively abused for malicious purposes, such as "tapjacking", leading to so-called overlay attacks.In order to combat this threat, Google introduced a dedicated window flag SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS to protect critical system apps' windows against overlay attacks.Unfortunately, the adequacy of such protection in the Android system remains unstudied, with a noticeable absence of clear usage guidelines.To bridge the gap, in this paper, we conduct the first systematic study on the unprotected windows of system apps against overlay attacks.We propose a comprehensive guideline and then design and develop a new tool named OverlayChecker to identify the missing protections in Android system apps.To verify the uncovered issues, we also design and create Proof-of-Concept apps.After applying OverlayChecker to 8 commercial Android systems on 4 recently released Android versions, we totally discovered 49 vulnerable system apps' windows.We reported our findings to the mobile vendors, including Google, Samsung, Vivo, Xiaomi, and Honor.At the time of writing, 15 of them have been confirmed.5 CVEs have been assigned, and 3 of them are rated high severity.We also received bug bounty rewards from these mobile vendors.

Jieshan Chen,Jiamou Sun,Sidong Feng,Zhenchang Xing,Qinghua Lu,Xiwei Xu,Chunyang Chen

2024-11-28

Abstract:Mobile apps bring us many conveniences, such as online shopping and communication, but some use malicious designs called dark patterns to trick users into doing things that are not in their best interest. Many works have been done to summarize the taxonomy of these patterns and some have tried to mitigate the problems through various techniques. However, these techniques are either time-consuming, not generalisable or limited to specific patterns. To address these issues, we propose UIGuard, a knowledge-driven system that utilizes computer vision and natural language pattern matching to automatically detect a wide range of dark patterns in mobile UIs. Our system relieves the need for manually creating rules for each new UI/app and covers more types with superior performance. In detail, we integrated existing taxonomies into a consistent one, conducted a characteristic analysis and distilled knowledge from real-world examples and the taxonomy. Our UIGuard consists of two components, Property Extraction and Knowledge-Driven Dark Pattern Checker. We collected the first dark pattern dataset, which contains 4,999 benign UIs and 1,353 malicious UIs of 1,660 instances spanning 1,023 mobile apps. Our system achieves a superior performance in detecting dark patterns (micro averages: 0.82 in precision, 0.77 in recall, 0.79 in F1 score). A user study involving 58 participants further shows that \tool{} significantly increases users' knowledge of dark patterns.

Human-Computer Interaction

Zhaoxin Cai,Yuhong Nan,Xueqiang Wang,Mengyi Long,Qihua Ou,Min Yang,Zibin Zheng

DOI: https://doi.org/10.1109/dsn58367.2023.00052

2023-01-01

Abstract:It has been extensively discussed that online services, such as shopping websites, may exploit dark user interface (UI) patterns to mislead users into performing unwanted and even harmful activities on the UI, e.g., subscribing to recurring purchases unknowingly. Most recently, the growing popularity of mobile platforms has led to an ever-extending reach of dark UI patterns in mobile apps, leading to security and privacy risks to end users. A systematic study of such patterns, including how to detect and mitigate them on mobile platforms, unfortunately, has not been conducted. In this paper, we fill the research gap by investigating the dark UI patterns in mobile apps. Specifically, we show the prevalence of the asymmetric dark UI patterns (AUI) in real-world apps, and reveal their risks by characterizing the AUI (e.g., subjects, hosts, and patterns). Then, through user studies, we demonstrate the demand for effective solutions to mitigate the potential risks of AUI. To meet the needs, we propose DARPA - an end-to-end and generic CV-based solution to identify AUIs at run-time and mitigate the risks by highlighting the AUIs with run-time UI decoration. Our evaluation shows that DARPA is highly accurate and introduces negligible overhead. Additionally, running DARPA does not require any modifications to the apps being analyzed and to the operating system.

Zhaoguo Wang,Chenglong Li,Yi Guan,Yibo Xue

DOI: https://doi.org/10.13245/j.hust.160312

2016-01-01

Abstract:In order to confront the code obfuscation problem,and better respond to the needs of simi-larity detection,a new method based on anti-obfuscation characteristics was designed,which included 7 kinds of anti-obfuscation code characteristics,audio characteristics and image characteristics.The method was proposed for detecting similarity and evaluating.Based on these characteristics and the methods,a prototype system was implemented and made suitable for large-scale scenario.The detec-tions of 1259 malware and 288 APPs from 12 APP markets show that the proposed method has obvi-ous advantages over the state-of-the-art methods against code obfuscation with high detection perform-ance.

Shaokun Zhang,Hanwen Lei,Yuanpeng Wang,Ding Li,Yao Guo,Xiangqun Chen

DOI: https://doi.org/10.1109/issre59848.2023.00057

2023-01-01

Abstract:Assessing description-to-permission fidelity is critical for safeguarding personal data accessed through sensitive APIs in Android apps. However, it remains a challenge for existing methods, both static and dynamic. Static methods are either infeasible due to various dynamic features (e.g., code obfuscation, dynamic class loading, and reflection) or too coarse-grained to understand how sensitive APIs collect privacy data under runtime contexts. Existing dynamic methods lack contextual understanding regarding sensitive API calls. For example, they fail to understand which GUI widgets are more likely to trigger sensitive APIs and ignore the preceding UI contexts that could reveal the intention of API calls when analyzing their fidelity.In this paper, we propose an API-driven automated dynamic analysis tool called APIMind for assessing runtime description-to-permission fidelity in Android apps. APIMind can discover sensitive APIs more effectively by utilizing multimodal features to jointly infer the semantics of GUI widgets and leveraging deep networks to automatically learn their relationship based on multifaceted rewards. Then, it could accurately assess description-to-permission fidelity by developing an extended tool that considers dual UI contexts (i.e., preceding and current contexts). We evaluate the accuracy and efficiency of APIMind using 121 real-world apps. Experimental results demonstrate that APIMind can achieve a detection accuracy of 96.1%. Compared to the competitive baseline, APIMind increases efficiency by 43%. In addition, based on our proposed tool, we conduct a large-scale case study of 1013 real Android apps, which reveals the prevalence of several typical inconsistencies and demonstrates the effectiveness of our approach in the wild.

Wenyu Wang,Wei Yang,Tianyin Xu,Tao Xie

DOI: https://doi.org/10.1145/3468264.3468554

2021-01-01

Abstract: With the prosperity of mobile apps, quality assurance of mobile apps becomes crucially important. Automated mobile User Interface (UI) testing had arisen as a key technique for app quality assurance. However, despite years of efforts, existing mobile UI testing techniques still cannot achieve high code coverage, especially for industrial-quality apps. To substantially improve the efficacy of mobile UI testing, we investigate state-of-the-art techniques and find a fundamental limitation--each testing technique attempts to apply one predefined strategy to explore the UI space of all mobile apps. However, we observe that different UI design characteristics require customized UI exploration strategies in practice. With this finding in mind, in this paper, we propose a new direction for mobile UI testing--automatic customization of UI exploration strategies for each app under test. As a first step in this direction, we target ineffective exploration behavior, which refers to cases where UI testing tools fail to make progress effectively. We present Vet as a general framework for applying the idea of trace analysis on UI testing history to identify ineffective exploration behavior for a given UI testing tool on a given app. Vet embraces specialized algorithms for speculating subsequences in the trace that manifest ineffective exploration behavior of UI space exploration. Vet then enables enhancing the testing tool by guiding the exploration to avoid ineffective exploration. We evaluate Vet by applying it to three state-of-the-art Android UI testing tools. Vet locates ineffective exploration behaviors that reveal various tool-app applicability issues hindering testing efficacy. Vet automatically fixes the applicability issues and achieves up to 46.8% code coverage relative improvements on 11 of 15 industrial-quality apps under evaluation.

Hung-Min Sun,Yining Liu,Shih-Chi Wang,Yang,Yeh-g Chen

DOI: https://doi.org/10.29333/ejmste/91668

2018-01-01

Abstract:As the Android’s growth in global market share, the security problem of Android OS becomes more and more serious. According to statistics, there are 84% of smartphone users use Android OS. The popularity brings not only wealth into Android market but also more and more malicious applications. Malicious developers want to steal private information such as credit card number, contacts, or email from Android phones. Android has sustained security issue for a long time. Academics also have put many efforts to solve the problem. Dynamic analysis is one of the methodologies for Android malware detection. Current execution of dynamic analysis needs to deploy heavy human resources. There is always someone needed to access the user interface manually, or the work can hardly be finished. In this work, we propose an approach on Android UI automation. Our implemented system output an Android monkeyrunner scripts, which is custom made for input Apk. The script program can trigger UI event automatically and deal with exception conditions while executed in monkeyrunner.

Jianjun Huang,Yousra Aafer,David Perry,Xiangyu Zhang,Chen Tian

DOI: https://doi.org/10.1109/ase.2017.8115642

2017-01-01

Abstract:While smartphones and mobile apps have been an integral part of our life, modern mobile apps tend to contain a lot of rarely used functionalities. For example, applications contain advertisements and offer extra features such as recommended news stories in weather apps. While these functionalities are not essential to an app, they nonetheless consume power, CPU cycles and bandwidth. In this paper, we design a UI driven approach that allows customizing an Android app by removing its unwanted functionalities. In particular, our technique displays the UI and allows the user to select elements denoting functionalities that she wants to remove. Using this information, our technique automatically removes all the code elements related to the selected functionalities, including all the relevant background tasks. The underlying analysis is a type system, in which each code element is tagged with a type indicating if it should be removed. From the UI hints, our technique infers types for all other code elements and reduces the app accordingly. We implement a prototype and evaluate it on 10 real-world Android apps. The results show that our approach can accurately discover the removable code elements and lead to substantial resource savings in the reduced apps.

Kan Zeliang,Wang Haoyu,Wu Lei,Guo Yao,Luo Daniel Xiapu

2019-01-01

Abstract: With the popularity of Android apps, different techniques have been proposed to enhance app protection. As an effective approach to prevent reverse engineering, obfuscation can be used to serve both benign and malicious purposes. In recent years, more and more sensitive logic or data have been implemented as obfuscated native code because of the limitations of Java bytecode. As a result, native code obfuscation becomes a great obstacle for security analysis to understand the complicated logic. In this paper, we propose DiANa, an automated system to facilitate the deobfuscation of native binary code in Android apps. Specifically, given a binary obfuscated by Obfuscator-LLVM (the most popular native code obfuscator), DiANa is capable of recovering the original Control Flow Graph. To the best of our knowledge, DiANa is the first system that aims to tackle the problem of Android native binary deobfuscation. We have applied DiANa in different scenarios, and the experimental results demonstrate the effectiveness of DiANa based on generic similarity comparison metrics.