Abstract
Over the years, software applications have captured a big market ranging from smart devices (smartphones, smart wearable devices) to enterprise resource management including Enterprise Resource Planning, office applications, and the entertainment industry (video games and graphics design applications). Protecting the copyright of software applications and protection from malicious software (malware) have been topics of utmost interest for academia and industry for many years. The standard solutions use the software license key or rely on the Operating System (OS) protection mechanisms, such as Google Play Protect. However, some end users have broken these protections to bypass payments for applications that are not free. They have done so by downloading the software from an unauthorised website or by jailbreaking the OS protection mechanisms. As a result, they cannot determine whether the software they download is malicious or not. Further, if the software is uploaded to a third party platform by malicious users, the software developer has no way of knowing about it. In such cases, the authenticity or integrity of the software cannot be guaranteed. There is also a problem of information transparency among software platforms. In this study, we propose an architecture that is based on blockchain technology for providing data transparency, release traceability, and auditability. Our goal is to provide an open framework to allow users, software vendors, and security practitioners to monitor misbehaviour and assess software vulnerabilities for preventing malicious software downloads. Specifically, the proposed solution makes it possible to identify software developers who have gone rogue and are potentially developing malicious software. Furthermore, we introduce an incentive policy for encouraging security engineers, victims and software owners to participate in collaborative works. The outcomes will ensure the wide adoption of a software auditing ecosystem in software markets, specifically for some mobile device manufacturers that have been banned from using the open-source OS such as Android. Consequently, there is a demand for them to verify the application security without completely relying on the OS-specific security mechanisms.
Similar content being viewed by others
References
McGee MK (2015) FBI alerts hospital to malware incident. https://www.databreachtoday.com/fbi-alerts-hospital-to-malware-incident-a-8710
Suryani V, Sulistyo S, Widyawan W (2017) Internet of Things (IoT) framework for granting trust among objects. J Inf Process Syst 13(6)
Cimpanu C (2017) HummingBad Android malware found in 20 Google Play Store apps. https://www.bleepingcomputer.com/news/security/hummingbad-android-malware-found-in-20-google-play-store-apps/#:~:text=Catalin%20Cimpanu&text=HummingBad%2C%20an%20Android%20malware%20estimated,Store%2C%20passing%20Google’s%20security%20checks
Lakeshmanan R (2019) ‘Agent Smith’ malware replaces legit android apps with fake ones on 25 million devices. https://thenextweb.com/news/agent-smith-malware-replaces-legit-android-apps-with-fake-ones-on-25-million-devices
Cimpanu C (2018) Malware found in arch linux aur package repository. https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/#:~:text=Catalin%20Cimpanu&text=Malware%20has%20been%20discovered%20in,intervention%20of%20the%20AUR%20team
SophosLabs, “who’s your verisign?”—malware faking digital signatures (2010). https://nakedsecurity.sophos.com/2010/06/23/trojbhoqp-verisign
Li D, Li Q (2020) Adversarial deep ensemble: evasion attacks and defenses for malware detection. IEEE Trans Inf Forensics Secur 15:3886–3900
Chen Y, Shan Z, Liu F, Liang G, Zhao B, Li X, Qiao M (2019) A gene-inspired malware detection approach. In: Journal of physics: conference series, vol. 1168. IOP Publishing, p 062004
Zhou Q, Feng F, Shen Z, Zhou R, Hsieh M-Y, Li K-C (2019) A novel approach for mobile malware classification and detection in Android systems. Multimed Tools Appl 78(3):3529–3552
Elish KO, Shu X, Yao DD, Ryder BG, Jiang X (2015) Profiling user-trigger dependence for Android malware detection. Comput Secur 49:255–273
Mahindru A, Singh P (2017) Dynamic permissions based Android malware detection using machine learning techniques. In: Proceedings of the 10th innovations in software engineering conference. ACM, pp 202–210
Isohara T, Takemori K, Kubota A (2011) Kernel-based behavior analysis for Android malware detection. In: 2011 Seventh international conference on computational intelligence and security. IEEE, pp 1011–1015
Suarez-Tangil G, Tapiador JE, Peris-Lopez P, Ribagorda A (2013) Evolution, detection and analysis of malware for smart devices. IEEE Commun Surv Tutor 16(2):961–987
Barrera D, Kayacik HG, Van Oorschot PC, Somayaji A (2010) A methodology for empirical analysis of permission-based security models and its application to Android. In: Proceedings of the 17th ACM conference on Computer and communications security. ACM, pp 73–84
Nataraj L, Karthikeyan S, Jacob G, Manjunath B (2011) Malware images: visualization and automatic classification. In: Proceedings of the 8th international symposium on visualization for cyber security. ACM, p 4
Kalash M, Rochan M, Mohammed N, Bruce ND, Wang Y, Iqbal F (2018) Malware classification with deep convolutional neural networks. In: 2018 9th IFIP international conference on new technologies. Mobility and security (NTMS). IEEE, pp 1–5
Venkatraman S, Alazab M, Vinayakumar R (2019) A hybrid deep learning image-based analysis for effective malware detection. J Inf Secur Appl 47:377–389
Wang C, Ding J, Guo T, Cui B (2017) A malware detection method based on sandbox, binary instrumentation and multidimensional feature extraction. In: International conference on broadband and wireless computing. Springer, Communication and Applications, pp 427–438
Čisar P, Joksimović D (2019) Heuristic scanning and sandbox approach in malware detection. Archibald Reiss Days 9(2)
Shan Z, Wang X, Chiueh T (2012) Enforcing mandatory access control in commodity os to disable malware. IEEE Trans Dependable Secure Comput 9(4):541–555
Xing L, Pan X, Wang R, Yuan K, Wang X (2014) Upgrading your Android, elevating my malware: privilege escalation through mobile OS updating. In: 2014 IEEE symposium on security and privacy. IEEE, pp 393–408
Drew J, Moore T, Hahsler M (2016) Polymorphic malware detection using sequence classification methods. In: 2016 IEEE security and privacy workshops (SPW). IEEE, pp 81–87
Drew J, Hahsler M, Moore T (2017) Polymorphic malware detection using sequence classification methods and ensembles. EURASIP J Inf Secur 1:2
Alzaylaee MK, Yerima SY, Sezer S (2017) Emulator vs real phone: Android malware detection using machine learning. In: Proceedings of the 3rd ACM on international workshop on security and privacy analytics. ACM, pp 65–72
Chin E, Felt AP, Greenwood K, Wagner D (2011) Analyzing inter-application communication in Android. In: Proceedings of the 9th international conference on mobile systems, applications, and services. ACM, pp 239–252
Yuxin D, Siyi Z (2019) Malware detection based on deep learning algorithm. Neural Comput Appl 31(2):461–472
Demetrio L, Biggio B, Lagorio G, Roli F, Armando A, Explaining vulnerabilities of deep learning to adversarial malware binaries. arXiv:1901.03583
Srivastava V, Biswas B (2018) Mining on the basis of similarity in graph and image data. In: International conference on advanced informatics for computing research. Springer, pp 193–203
Ali M, Shiaeles S, Papadaki M, Ghita BV (2018) Agent-based vs agent-less sandbox for dynamic behavioral analysis. In: 2018 Global information infrastructure and networking symposium (GIIS). IEEE, pp 1–5
Jain S, Choudhury T, Kumar V, Kumar P (2018) Detecting malware and analysing using sandbox evasion. In: 2018 International conference on communication, computing and internet of things (IC3IoT). IEEE, pp 111–116
Darshan SS, Kumara MA, Jaidhar C (2016) Windows malware detection based on cuckoo sandbox generated report using machine learning algorithm. In: 2016 11th international conference on industrial and information systems (ICIIS). IEEE, pp 534–539
Du Y, Liu C, Su Z (2019) Detection and suppression of malware based on consortium blockchain. In: IOP conference series: materials science and engineering, vol. 490. IOP Publishing, p 042031
Herbert J, Litchfield A (2015) A novel method for decentralised peer-to-peer software license validation using cryptocurrency blockchain technology. In: Proceedings of the 38th Australasian computer science conference (ACSC 2015), vol. 27. p 30
Homayoun S, Dehghantanha A, Parizi RM, Choo K-KR (2019) A blockchain-based framework for detecting malicious mobile applications in app stores. In: 2019 IEEE Canadian conference of electrical and computer engineering (CCECE). IEEE, pp 1–4
Doffman Z (2019) Cybercrime: 25% of all malware targets financial services, credit card fraud up 200% . https://www.forbes.com/sites/zakdoffman/2019/04/29/new-cyber-report-25-of-all-malware-hits-financial-services-card-fraud-up-200/#47ec59807a47
Ashford W (2013) Malware hits US power plants. https://www.computerweekly.com/news/2240176164/Two-US-power-plants-hit-by-malware
Kumar G, Saha R, Rai MK, Thomas R, Kim T-H (2019) Proof-of-work consensus approach in blockchain technology for cloud and fog computing using maximization-factorization statistics. IEEE Internet Things J 6(4):6835–6842
Laurie B (2014) Certificate transparency. Commun ACM 57(10):40–46
Androulaki E, Barger A, Bortnikov V, Cachin C, Christidis K, De Caro A, Enyeart D, Ferris C, Laventman G, Manevich Y et al (2018) Hyperledger fabric: a distributed operating system for permissioned blockchains. In: Proceedings of the thirteenth EuroSys conference. pp 1–15
Xiao G, Li J, Chen Y, Li K (2020) Malfcs: an effective malware classification framework with automated feature extraction based on deep convolutional neural networks. J Parallel Distrib Comput 141:49–58
Agrawal P, Trivedi B (2020) Automating the process of browsing and downloading apk files as a prerequisite for the malware detection process. Int J Emerg Trends Technol Comput Sci (IJETTCS) 9(2):013–017
AV-test, Av test the idndependent it-security insitute (2020). https://www.av-test.org/en/
Cunningham E (2017) Keeping you safe with google play protect. https://support.google.com/googleplay/answer/2812853?hl=en
Spathoulas G, Collen A, Pandey P, Nijdam NA, Katsikas S, Kouzinopoulos CS, Moussa MB, Giannoutakis KM, Votis K, Tzovaras D (2018) Towards reliable integrity in blacklisting: facing malicious IPs in ghost smart contracts. In: 2018 innovations in intelligent systems and applications (INISTA). IEEE, pp 1–8
Huang C, Wang Z, Chen H, Hu Q, Zhang Q, Wang W, Guan X Repchain: a reputation based secure, fast and high incentive blockchain system via sharding. arXiv:1901.05741
Pereira S, Satish S (2013) Communication-based host reputation system, US Patent 8,381,289
Microsoft, Microsoft malware classification challenge (big 2015) (2018). https://www.kaggle.com/c/malware-classification
Siriwardena P (2017) The mystery behind block time. https://medium.facilelogin.com/the-mystery-behind-block-time-63351e35603a
Dabbagh M, Choo K-KR, Beheshti A, Tahir M, Safa NS (2021) A survey of empirical performance evaluation of permissioned blockchain platforms: challenges and opportunities. Comput Secur 100:102078
Zhang J, Gao J, Wu Z, Yan W, Wo Q, Li Q, Chen Z (2019) Performance analysis of the libra blockchain: an experimental study. In: 2019 2nd International conference on hot information-centric networking (HotICN). IEEE, pp 77–83
Acknowledgements
We thank the anonymous reviewers for their valuable comments, which helped us improve the content, organisation, and presentation of this work.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Hu, Q., Asghar, M.R. & Zeadally, S. Blockchain-based public ecosystem for auditing security of software applications. Computing 103, 2643–2665 (2021). https://doi.org/10.1007/s00607-021-00954-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00607-021-00954-6