Scribd
Upload
87 views24 pages

Android App Protection

Daniel Xiapu Luo presented techniques for protecting Android apps from attackers. He discussed how attackers can repackage apps to add malware or ads. To prevent this, apps can use obfuscation, dynamic class loading, reflection, and modifying dex files to hide code and logic from reverse engineering. However, tools like DexHunter can still extract hidden dex files by leveraging how Android runs apps. Luo suggested not putting secrets in apps, using strong obfuscation, implementing core logic in native code, and detecting repackaged apps on markets. He also thanked collaborators for research tools like DexHunter and ResDroid for app repackaging detection.

Uploaded by

Ignacio Mods
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
87 views24 pages

Android App Protection

Daniel Xiapu Luo presented techniques for protecting Android apps from attackers. He discussed how attackers can repackage apps to add malware or ads. To prevent this, apps can use obfuscation, dynamic class loading, reflection, and modifying dex files to hide code and logic from reverse engineering. However, tools like DexHunter can still extract hidden dex files by leveraging how Android runs apps. Luo suggested not putting secrets in apps, using strong obfuscation, implementing core logic in native code, and detecting repackaged apps on markets. He also thanked collaborators for research tools like DexHunter and ResDroid for app repackaging detection.

Uploaded by

Ignacio Mods
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Android App Protection

Daniel Xiapu Luo


[email protected]
Department of Computing
The Hong Kong Polytechnic University

1
How an attacker turn your app into a
malware?

Repackaged
Apps

Source:
businessinsider.com 2
Secure, no ads

Save $6.99, but get ads


3
Source: Trend Micro
Percentage of top 10 apps in each category which have repacked
version:
•100% of the apps of Widgets, Media & Video, etc.
•90% of the apps of Business, Music & Audio, etc.
•… 4
What if your mobile app is reverse-
engineered by others?
 Core business logic and major algorithms
could be learnt by your competitors.

 Credentials in apps.

5
6
Outline
 Catch Me If You Can
 You Can Run But You Cannot Hide
 Suggestions

7
Catch Me If You Can
 Goal
◦ Raise the bar for attackers
 Hide the code

 Make the code hard to be


understood.

m4k3 7h3 (0d3 h4rd 70 83 und3r5700d

8
Android App Protection
 Techniques used by packers
 Obfuscation
 Dynamic class loading
 Java reflection
 Dex file modification
 Native code Hide the code
 Emulator detection
 Anti-debug
 …

9
Obfuscation
 Transform the code to make it difficult to
understand or change while keeping its
functionalities.
 Renaming identifier
 Equivalent expression
 Encrypting data
 Splitting and merging functions
 Complicating control flow
Inserting bogus codes
ProGuard

 …

10
Dynamic class loading
 A feature supported by Java
 Implement the core business logic in a
separated class.

 The class can be located in the server or


released from a native library.

 Load the class into the runtime when the class


is used.
11
Java reflection
 A feature supported by Java

 An app can use it to


 Inspect classes, interfaces, fields and methods at
runtime without knowing their names,

 Instantiate new objects dynamically,

 Invoke methods dynamically,

 …
12
Dex file modification
 Hide the method.

 Bad code to make reverse-engineering tools crash.


 Opcodes
 AXML
 Resource files
 …

13
Source: Hu et al.
Native code
 App can invoke native code through Java
native interface (JNI).

 Native code can modify the dex file in the


memory.

Source: A. Blaich
14
Emulator detection
 The adversary can observe how an app
executes by running it in an emulator (e.g.,
Qemu).

 Emulator is a software that usually has fixed


configuration. So it is different from a real
smartphone.
 Device ID
 000000000000000
 …

15
Outline
 Catch Me If You Can
 You Can Run But You Cannot Hide
 Suggestions

16
You Can Run But You Cannot Hide
 Can we extract the dex file from a packed app?
 Yes!

 DexHunter
 Yueqian Zhang, Xiapu Luo, and Haoyang Yin, DexHunter: Toward Extracting
Hidden Code from Packed Android Applications, Proceedings of the 20th
European Symposium on Research in Computer Security (ESORICS), Vienna,
Austria, Sept. 2015.

 Paper: http://www4.comp.polyu.edu.hk/~csxluo/DexHunter.pdf

 Source code and demo: https://github.com/zyq8709/DexHunter

 Key insight
 Dex file will be loaded and run by Android runtime, including
Dalvik virtual machine (DVM) and the new Android Runtime
(ART), which controls everything.

17
Products under Investigation
360 http://jiagu.360.cn/

Ali http://jaq.alibaba.com/

Baidu http://apkprotect.baidu.com/

Bangcle http://www.bangcle.com/

Tencent http://jiagu.qcloud.com/

ijiami http://www.ijiami.cn/

18
Summary
 Anti-debugging
 Anti-ptrace, Anti-JWDP ….
 But they cannot detect DexHunter.
 Encrypt and hide dex code
 Dynamically modify dex code
 Modify validate values in dex after using them
 Hook functions to prevent dumping
 …
 But DexHunter can still recover the hidden
dex code.
19
Outline
 Catch Me If You Can
 You Can Run But You Cannot Hide
 Suggestions

20
Suggestions
 Do not assume that your app cannot be reverse-
engineered by others.

 Do not put secrete into your app.

 Protect your apps using various techniques


 Strong obfuscation algorithms
 Implement core business logics into native code and
then pack the native code
 Server side verification
 Customized hardening services
 …
21
Suggestions
 Detect repackaged apps from markets
 Simple approach
 Finding apps with similar descriptions, etc.

 Advanced approach
 Detect repackaged apps by comparing their codes.
 It may be affected by the app hardening techniques.

 Detect repackaged apps by comparing their


resources.

22
ResDroid
 A scalable approach to detect repackaged apps by
leveraging resource features (e.g., GUI, etc.) instead
of code.
 Use statistical features for the coarse-grained processing
 Use structural features for the fine-grained processing

23
http://www4.comp.polyu.edu.hk/~csxluo/ResDroid.pdf
Thanks my group members and collaborators for contributing to this research:
Yueqian Zhang,Wenjun Hu,Yuru Shao,Haoyang Yin,Xiaobo Ma,Xian Zhan
DexHunter
Paper: http://www4.comp.polyu.edu.hk/~csxluo/DexHunter.pdf
Source code and demo : https://github.com/zyq8709/DexHunter
ResDroid
Paper: http://www4.comp.polyu.edu.hk/~csxluo/ResDroid.pdf
Our other tools and papers on Android security:
http://www4.comp.polyu.edu.hk/~csxluo
24

You might also like