Glanz, Leonid (2020)
Automatic Identification and Recovery of Obfuscated Android Apps.
Technische Universität Darmstadt
doi: 10.25534/tuprints-00014647
Ph.D. Thesis, Primary publication, Publisher's Version
|
Text
Thesis_Leonid_Glanz.pdf Copyright Information: CC BY-SA 4.0 International - Creative Commons, Attribution ShareAlike. Download (4MB) | Preview |
Item Type: | Ph.D. Thesis | ||||
---|---|---|---|---|---|
Type of entry: | Primary publication | ||||
Title: | Automatic Identification and Recovery of Obfuscated Android Apps | ||||
Language: | English | ||||
Referees: | Mezini, Prof. Dr. Mira ; Rashid, Prof. Dr. Awais | ||||
Date: | 2020 | ||||
Place of Publication: | Darmstadt | ||||
Collation: | 242 Seiten | ||||
Date of oral examination: | 25 November 2020 | ||||
DOI: | 10.25534/tuprints-00014647 | ||||
Abstract: | Every day, developers add new applications (apps) to the Google Play Store, which ease users' lives and entertain them. The rapid development of these apps is only possible through the provision of software libraries whose functionality can be directly integrated into an app without creating it from scratch. For instance, some libraries provide extended possibilities for displaying content or additional support for specific networking capabilities. All these libraries are bundled with the main application code into one binary to avoid delays due to the loading of external functionality. The wide distribution of Android apps and the high turnover in this market attracts criminal actors (attackers). These attackers decompile the apps, integrate additional ad libraries or malware, and republish them. Through this approach, they use the apps’ popularity to trick users into downloading their repackaged apps. To prevent such malicious practices, developers and producers of libraries have begun to obfuscate their apps to make the decompilation process more challenging. However, the obfuscation of apps is not only done by developers but also by attackers to make the detection of copyright infringement harder or hide their malicious intent. While analysts try to protect the developers’ copyright and the privacy and security of app users, code obfuscation hinders them from identifying libraries and repackaged apps, detecting obfuscated names and strings, and recovering them. The obfuscated code might contain not only malware but also vulnerabilities or unauthorized access to private data. This dissertation introduces different approaches that support the analyses mentioned above using static analysis, dynamic analysis, and machine learning. Since the obfuscation of repackaged apps makes it difficult to distinguish between library and app code, we present approaches for library detection, separation of app code, and mapping of library code. We evaluated the effectiveness of these approaches under the influence of different obfuscation techniques. Furthermore, we present our approach for identifying repackaged apps that uses our library identification to measure the similarity between repackaged and original apps without the influence of library code, which would distort the measurement. Further contributions support the recovery of names from obfuscated entities in library code. Finally, we presented an approach for identifying and recovering obfuscated strings that supports data-flow analyses. Using our approaches, we outperformed all state-of-the-art competitors. Furthermore, we analyzed in total over 100,000 apps for obfuscated names, obfuscated libraries, obfuscated strings, and repackaged apps. |
||||
Alternative Abstract: |
|
||||
Status: | Publisher's Version | ||||
URN: | urn:nbn:de:tuda-tuprints-146479 | ||||
Classification DDC: | 000 Generalities, computers, information > 004 Computer science | ||||
Divisions: | 20 Department of Computer Science > Software Technology | ||||
TU-Projects: | Bund/BMBF|16BY1206E|ACCEPT Bund/BMBF|01IS12054|Software Campus VDI|16KIS0594K|CRISP-SAL2 TP1a Bund/BMBF|16KIS0894K|CRISP-SAL4 |
||||
Date Deposited: | 21 Dec 2020 09:01 | ||||
Last Modified: | 22 Dec 2020 10:21 | ||||
URI: | https://tuprints.ulb.tu-darmstadt.de/id/eprint/14647 | ||||
PPN: | 474417476 | ||||
Export: |
View Item |