skip to main content
10.1145/3180155.3180169acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article

Software protection on the go: a large-scale empirical study on mobile app obfuscation

Published: 27 May 2018 Publication History

Abstract

The prosperity of smartphone markets has raised new concerns about software security on mobile platforms, leading to a growing demand for effective software obfuscation techniques. Due to various differences between the mobile and desktop ecosystems, obfuscation faces both technical and non-technical challenges when applied to mobile software. Although there have been quite a few software security solution providers launching their mobile app obfuscation services, it is yet unclear how real-world mobile developers perform obfuscation as part of their software engineering practices.
Our research takes a first step to systematically studying the deployment of software obfuscation techniques in mobile software development. With the help of an automated but coarse-grained method, we computed the likelihood of an app being obfuscated for over a million app samples crawled from Apple App Store. We then inspected the top 6600 instances and managed to identify 601 obfuscated versions of 539 iOS apps. By analyzing this sample set with extensive manual effort, we made various observations that reveal the status quo of mobile obfuscation in the real world, providing insights into understanding and improving the situation of software protection on mobile platforms.

References

[1]
Apple: most popular app store categories 2017 | Statistic. https://www.statista.com/statistics/270291/popular-categories-in-the-app-store/.
[2]
IDA: About. https://www.hex-rays.com/products/ida/.
[3]
The International Obfuscated C Code Contest. http://www.ioccc.org.
[4]
iOS Apps Caught Using Private APIs. http://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html.
[5]
iTunes Connect Developer Guide. https://developer.apple.com/library/content/documentation/LanguagesUtilities/Conceptual/iTunesConnect_Guide/Chapters/About.html.
[6]
The Lancaster Corpus of Mandarin Chinese. http://www.lancaster.ac.uk/fass/projects/corpus/LCMC/.
[7]
Monument Valley apparently has a 95% piracy rate on Android, 60% on iOS. https://goo.gl/TkfCIK.
[8]
Shrink Your Code and Resources | Android Studio - Android Developers. https://developer.android.com/studio/build/shrink-code.html.
[9]
Smart Obfuscation for iOS Apps | PreEmptive Protection. https://www.preemptive.com/products/ppios.
[10]
Benjamin Andow, Adwait Nadkarni, Blake Bassett, William Enck, and Tao Xie. 2016. A Study of Grayware on Google Play. In Proceedings of the 2016 IEEE Workshop on Mobile Security Technologies (MoST '16).
[11]
Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, and Konrad Rieck. 2014. DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In Proceedings of the 2014 Network and Distributed System Security Symposium (NDSS '14).
[12]
Sébastien Bardin, Robin David, and Jean-Yves Marion. 2017. Backward-Bounded DSE: Targeting Infeasibility Questions on Obfuscated Codes. In Proceedings of the 38th IEEE Symposium on Security and Privacy (SP '17). 633--651.
[13]
Benjamin Bichsel, Veselin Raychev, Petar Tsankov, and Martin Vechev. 2016. Statistical Deobfuscation of Android Applications. In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security (CCS '16). 343--355.
[14]
Hao Chen, Daojing He, Sencun Zhu, and Jingshun Yang. 2017. Toward Detecting Collusive Ranking Manipulation Attackers in Mobile App Markets. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (AsiaCCS '17). 58--70.
[15]
Kai Chen, Peng Liu, and Yingjun Zhang. 2014. Achieving Accuracy and Scalability Simultaneously in Detecting Application Clones on Android Markets. In Proceedings of the 36th ACM/IEEE International Conference on Software Engineering (ICSE '14). 175--186.
[16]
Kai Chen, Xueqiang Wang, Yi Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Bin Ma, Aohui Wang, Yingjun Zhang, and Wei Zou. 2016. Following Devil's Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P '16). 357--376.
[17]
Zhaofeng Chen. iOS Masque Attack Weaponized: A Real World Look. https://www.fireeye.com/blog/threat-research/2015/08/ios_masque_attackwe.html.
[18]
Alex Franz and Thorsten Brants. All Our N-gram are Belong to You. https://research.googleblog.com/2006/08/all-our-n-gram-are-belong-to-you.html.
[19]
Clint Gibler, Ryan Stevens, Jonathan Crussell, Hao Chen, Hui Zang, and Heesook Choi. AdRob: Examining the Landscape and Impact of Android Application Plagiarism. In Proceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys '13). 431--444.
[20]
Leonid Glanz, Sven Amann, Michael Eichberg, Michael Reif, Ben Hermann, Johannes Lerch, and Mira Mezini. 2017. CodeMatch: Obfuscation Won't Conceal Your Repackaged App. In Proceedings of the 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE'17). 638--648.
[21]
Abram Hindle, Earl T. Barr, Zhendong Su, Mark Gabel, and Premkumar Devanbu. 2012. On the Naturalness of Software. In Proceedings of the 34th ACM/IEEE International Conference on Software Engineering (ICSE'12). 837--847.
[22]
Pengwei Lan, Pei Wang, Shuai Wang, and Dinghao Wu. 2017. Lambda Obfuscation. In Proceedings of the 13th EAI International Conference on Security and Privacy in Communication Networks (SecureComm '17).
[23]
Timea László and Ákos Kiss. 2009. Obfuscating C++ Programs via Control Flow Flattening. Annales Universitatis Scientarum Budapestinensis de Rolando Eötvös Nominatae, Sectio Computatorica 30 (2009), 3--19.
[24]
Menghao Li, Wei Wang, Pei Wang, Shuai Wang, Dinghao Wu, Jian Liu, Rui Xue, and Wei Huo. 2017. LibD: Scalable and Precise Third-party Library Detection in Android Markets. In Proceedings of the 39th ACM/IEEE International Conference on Software Engineering (ICSE '17).
[25]
Wenhao Li, Haibo Li, Haibo Chen, and Yubin Xia. 2015. AdAttester: Secure Online Mobile Advertisement Attestation Using TrustZone. In Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys '15). 75--88.
[26]
Mario Linares-Vásquez, Andrew Holtzhauer, Carlos Bernal-Cárdenas, and Denys Poshyvanyk. 2014. Revisiting Android Reuse Studies in the Context of Code Obfuscation and Library Usages. In Proceedings of the 11th Working Conference on Mining Software Repositories (MSR '14).
[27]
Han Liu, Chengnian Sun, Zhendong Su, Yu Jiang, Ming Gu, and Jiaguang Sun. 2017. Stochastic Optimization of Program Obfuscation. In Proceedings of the 39th International Conference on Software Engineering (ICSE '17). 221--231.
[28]
Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. 2016. LibRadar: Fast and Accurate Detection of Third-party Libraries in Android Apps. In Proceedings of the 38th International Conference on Software Engineering Companion (ICSE '16 Companion). 653--656.
[29]
Jiang Ming, Dongpeng Xu, Li Wang, and Dinghao Wu. 2015. LOOP: Logic-Oriented Opaque Predicate Detection in Obfuscated Binary Code. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). 757--768.
[30]
Steven S. Muchnick. 1997. Advanced Compiler Design Implementation. Morgan Kaufmann.
[31]
Minh Ngoc Ngo and Hee Beng Kuan Tan. 2007. Detecting Large Number of Infeasible Paths Through Recognizing Their Patterns. In Proceedings of the the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on The Foundations of Software Engineering (ESEC-FSE '07). 215--224.
[32]
Peter Norvig. Natural Language Corpus Data: Beautiful Data. http://norvig.com/ngrams/.
[33]
Damilola Orikogbo, Matthias Büchler, and Manuel Egele. 2016. CRiOS: Toward Large-Scale iOS Application Analysis. In Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM '16). 33--42.
[34]
Roberto Paleari, Lorenzo Martignoni, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators. In Proceedings of the 3rd USENIX Workshop on Offensive Technologies (WOOT '09).
[35]
Andre Pawlowski, Moritz Contag, and Thorsten Holz. 2016. Probfuscation: An Obfuscation Approach using Probabilistic Control Flows. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 165--185.
[36]
Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, and Eric Bodden. 2016. Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques. In Proceedings of 23rd Network and Distributed System Security Symposium (NDSS '16).
[37]
Sebastian Schrittwieser, Stefan Katzenbeisser, Johannes Kinder, Georg Merzdovnik, and Edgar Weippl. 2016. Protecting Software Through Obfuscation: Can It Keep Pace with Progress in Code Analysis? ACM Comput. Surv. 49, 1 (2016), 4:1--4:37.
[38]
Toby Segaran and Jeff Hammerbacher. 2009. Beautiful data: the stories behind elegant data solutions. "O'Reilly Media, Inc.".
[39]
Haoyu Wang, Yao Guo, Ziang Ma, and Xiangqun Chen. 2015. WuKong: A Scalable and Accurate Two-phase Approach to Android App Clone Detection. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (ISSTA '15). 71--82.
[40]
Pei Wang, Shuai Wang, Jiang Ming, Yufei Jiang, and Dinghao Wu. 2016. Translingual Obfuscation. In Proceedings of the 1st IEEE European Symposium on Security and Privacy (EuroS&P '16).
[41]
Song Wang, Devin Chollak, Dana Movshovitz-Attias, and Lin Tan. 2016. Bugram: Bug detection with n-gram language models. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE '16). 708--719.
[42]
Yan Wang, Shuai Wang, Pei Wang, and Dinghao Wu. 2017. Turing Obfuscation. In Proceedings of the 13th EAI International Conference on Security and Privacy in Communication Networks (SecureComm '17).
[43]
Dongpeng Xu, Jiang Ming, and Dinghao Wu. 2016. Generalized Dynamic Opaque Predicates: A New Control Flow Obfuscation Method. In Proceedings of the 19th Information Security Conference (ISC '16). 323--342.
[44]
Lei Xue, Xiapu Luo, Le Yu, Shuai Wang, and Dinghao Wu. 2017. Adaptive Unpacking of Android Apps. In Proceedings of the 39th International Conference on Software Engineering (ICSE '17). 358--369.
[45]
Babak Yadegari, Brian Johannesmeyer, Benjamin Whitely, and Saumya Debray. 2015. A Generic Approach to Automatic Deobfuscation of Executable Code. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P '15).
[46]
Fangfang Zhang, Heqing Huang, Sencun Zhu, Dinghao Wu, and Peng Liu. 2014. ViewDroid: Towards Obfuscation-resilient Mobile Application Repackaging Detection. In Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks (WiSec '14). 25--36.
[47]
Yajin Zhou and Xuxian Jiang. 2012. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (S&P '12). 95--109.

Cited By

View all
  • (2025)Summary of ObfSec: Measuring the Security of Obfuscations from a Testing PerspectiveTesting Software and Systems10.1007/978-3-031-80889-0_13(185-189)Online publication date: 25-Jan-2025
  • (2024)Evaluation Methodologies in Software Protection ResearchACM Computing Surveys10.1145/3702314Online publication date: 2-Nov-2024
  • (2024)Accurate and Efficient Code Matching Across Android Application Versions Against Obfuscation2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00028(204-215)Online publication date: 12-Mar-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ICSE '18: Proceedings of the 40th International Conference on Software Engineering
May 2018
1307 pages
ISBN:9781450356381
DOI:10.1145/3180155
  • Conference Chair:
  • Michel Chaudron,
  • General Chair:
  • Ivica Crnkovic,
  • Program Chairs:
  • Marsha Chechik,
  • Mark Harman
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 May 2018

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. empirical study
  2. mobile app
  3. obfuscation
  4. reverse engineering

Qualifiers

  • Research-article

Conference

ICSE '18
Sponsor:

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)32
  • Downloads (Last 6 weeks)2
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Summary of ObfSec: Measuring the Security of Obfuscations from a Testing PerspectiveTesting Software and Systems10.1007/978-3-031-80889-0_13(185-189)Online publication date: 25-Jan-2025
  • (2024)Evaluation Methodologies in Software Protection ResearchACM Computing Surveys10.1145/3702314Online publication date: 2-Nov-2024
  • (2024)Accurate and Efficient Code Matching Across Android Application Versions Against Obfuscation2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00028(204-215)Online publication date: 12-Mar-2024
  • (2023)LalaineProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620299(1091-1108)Online publication date: 9-Aug-2023
  • (2023)LibKit: Detecting Third-Party Libraries in iOS AppsProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616344(1407-1418)Online publication date: 30-Nov-2023
  • (2023)Characterizing the Use of Code Obfuscation in Malicious and Benign Android AppsProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600194(1-12)Online publication date: 29-Aug-2023
  • (2023)Obfuscation-Resilient Android Malware Analysis Based on Complementary FeaturesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.330250918(5056-5068)Online publication date: 1-Jan-2023
  • (2022)SoK: Demystifying Binary Lifters Through the Lens of Downstream Applications2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833799(1100-1119)Online publication date: May-2022
  • (2022)ObfSecExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.118298210:COnline publication date: 30-Dec-2022
  • (2021)Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48987.2021.00065(569-580)Online publication date: Jun-2021
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media