Skip to main content
Springer Nature Link
Log in

Obfuscating Code Vulnerabilities Against Static Analysis in Android Apps

  • Conference paper
  • First Online:
ICT Systems Security and Privacy Protection (SEC 2024)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 710))

  • 481 Accesses

Abstract

In this paper, we investigate using obfuscation as a security-through-obscurity approach to hide app code vulnerabilities in Android apps. Obfuscation refers to a set of techniques that change the syntax of the code but preserve its semantics. This way, the app maintains the same runtime behavior, but the obfuscated code is hardly readable to a human being.

Here, we aim to empirically assess whether obfuscation could also negatively affect the vulnerability detection rate of SAST (i.e., Static Application Security Testing) tools. Such tools automatically reverse-engineer the app and look for vulnerability patterns in the code according to proper heuristics.

Our findings show that obfuscation reduces the detection rate of SAST tools, suggesting that investigating novel and vulnerability-focused obfuscation techniques in the future may reduce the probability of an attacker detecting vulnerabilities in obfuscated app code, both manually (due to unreadability) and automatically (by deceiving SAST tools).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://play.google.com/.

  2. 2.

    It is worth noticing that most apps are free, as they support in-app purchases.

  3. 3.

    We discarded the two apps, i.e., MergeManifest-UnintendedBehavior-Lean and OutdatedLibrary-DirectoryTraversal-Lean, whose vulnerabilities are related to library obsolescence, thus not associated with (and not contained in) the app code.

References

  1. Ghidra. https://ghidra-sre.org/. Accessed 25 June 2024

  2. Apktool, Apktool. https://apktool.org/. Accessed 25 June 2024

  3. Jadx. https://github.com/skylot/jadx. Accessed 25 JUne 2024

  4. Mitra, J., Ranganath, V.-P.: Ghera: a repository of android app vulnerability benchmarks, in: Proceedings of the 13th International Conference on Predictive Models and Data Analytics in Software Engineering, pp. 43–52 (2017)

    Google Scholar 

  5. Merlo, A., Ruggia, A., Sciolla, L., Verderame, L.: You shall not repackage! demystifying anti-repackaging on android. Comput. Secur. 103, 102181 (2021). https://doi.org/10.1016/j.cose.2021.102181

    Article  Google Scholar 

  6. Pan, Y., Ge, X., Fang, C., Fan, Y.: A systematic literature review of android malware detection using static analysis. IEEE Access 8, 116363–116379 (2020)

    Article  Google Scholar 

  7. Preda, M.D., Maggi, F.: Testing android malware detectors against code obfuscation: a systematization of knowledge and unified methodology. J. Comput. Virol. Hacking Tech. 13, 209–232 (2017)

    Article  Google Scholar 

  8. GitHub, Mobile security framework (mobsf). https://github.com/MobSF/Mobile-Security-Framework-MobSF. Accessed 25 June 2024

  9. Pagano, F., Romdhana, A., Caputo, D., Verderame, L., Merlo, A.: SEBASTiAn: a static and extensible black-box application security testing tool for iOS and android applications. SoftwareX 23, 101448 (2023). https://doi.org/10.1016/j.softx.2023.101448

    Article  Google Scholar 

  10. GitHub, Trueseeing. https://github.com/alterakey/trueseeing. Accessed 25 June 2024

  11. GitHub, Qark. https://github.com/linkedin/qark. Accessed 25 June 2024

  12. Razican, Super android analyzer. https://github.com/SUPERAndroidAnalyzer/super. Accessed 25 June 2024

  13. GitHub, Stacoan. https://github.com/vincentcox/StaCoAn. Accessed 25 June 2024

  14. Aonzo, S., Georgiu, G.C., Verderame, L., Merlo, A.: Obfuscapk: an open-source black-box obfuscation tool for android apps, SoftwareX. https://doi.org/10.1016/j.softx.2020.100403

  15. You, G., Kim, G., Cho, S.J., Han, H.: A comparative study on optimization, obfuscation, and deobfuscation tools in android. J. Internet Serv. Inf. Secur. 11(1), 2–15 (2021)

    Google Scholar 

  16. Watanabe, T., et al.: A study on the vulnerabilities of mobile apps associated with software modules, arXiv preprint arXiv:1702.03112 (2017)

  17. Aloraini, B., Nagappan, M.: Evaluating state-of-the-art free and open source static analysis tools against buffer errors in android apps. In: IEEE International Conference on Software Maintenance and Evolution (ICSME), vol. 2017, pp. 295–306 (2017). https://doi.org/10.1109/ICSME.2017.77

  18. Oyetoyan, T.D., Chaim, M.: Comparing capability of static analysis tools to detect security weaknesses in mobile applications, arXiv preprint arXiv:1702.03112 (2017)

  19. Ranganath, V.-P., Mitra, J.: Are free android app security analysis tools effective in detecting known vulnerabilities? Empir. Softw. Eng. 25, 178–219 (2020)

    Article  Google Scholar 

  20. Joseph, R.B., Zibran, M.F., Eishita, F.Z.: Choosing the weapon: a comparative study of security analyzers for android applications. In: 2021 IEEE/ACIS 19th International Conference on Software Engineering Research, Management and Applications (SERA), pp. 51–57 (2021). https://doi.org/10.1109/SERA51205.2021.9509271

  21. GitHub, Mara_framework. https://github.com/xtiankisutsa/MARA_Framework. Accessed 25 June 2024

  22. Bosu, A., Liu, F., Yao, D.D., Wang, G.: Collusive data leak and more: Large-scale threat analysis of inter-app communications. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, Association for Computing Machinery, pp. 71–85 (2017). https://doi.org/10.1145/3052973.3053004

  23. Bagheri, H., Sadeghi, A., Garcia, J., Malek, S.: Covert: compositional analysis of android inter-app permission leakage. IEEE Trans. Software Eng. 41(9), 866–886 (2015). https://doi.org/10.1109/TSE.2015.2419611

    Article  Google Scholar 

  24. GitHub, Iccta. https://github.com/lilicoding/soot-infoflow-android-iccta. Accessed 25 June 2024

  25. Bosu, A., Liu, F., Yao, D.D., Wang, G.: Android collusive data leaks with flow-sensitive dialdroid dataset (2018)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DIBRIS - University of Genoa, Genoa, Italy

    Francesco Pagano & Luca Verderame

  2. CASD - School of Advanced Defense Studies, Rome, Italy

    Alessio Merlo

Authors
  1. Francesco Pagano
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Luca Verderame
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alessio Merlo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alessio Merlo .

Editor information

Editors and Affiliations

  1. Edinburgh Napier University, Edinburgh, UK

    Nikolaos Pitropakis

  2. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis Katsikas

  3. University of Nottingham, Nottingham, UK

    Steven Furnell

  4. Royal Holloway University of London, Egham, Surrey, UK

    Konstantinos Markantonakis

Rights and permissions

Reprints and permissions

Copyright information

© 2024 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Pagano, F., Verderame, L., Merlo, A. (2024). Obfuscating Code Vulnerabilities Against Static Analysis in Android Apps. In: Pitropakis, N., Katsikas, S., Furnell, S., Markantonakis, K. (eds) ICT Systems Security and Privacy Protection. SEC 2024. IFIP Advances in Information and Communication Technology, vol 710. Springer, Cham. https://doi.org/10.1007/978-3-031-65175-5_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-65175-5_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-65174-8

  • Online ISBN: 978-3-031-65175-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships