The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Android App Birthmarking Technique Resilient to Code Obfuscation

난독화에 강인한 안드로이드 앱 버스마킹 기법

  • Kim, Dongjin (Dankook University Department of Computer Science) ;
  • Cho, Seong-Je (Dankook University Department of Computer Science & Engineering) ;
  • Chung, Youngki (Dankook University Department of Computer Science) ;
  • Woo, Jinwoon (Dankook University Department of Computer Science & Engineering) ;
  • Ko, Jeonguk (Hancom Inc.) ;
  • Yang, Soo-Mi (University of Suwon Department of Information Secrecy)
  • Received : 2015.03.23
  • Accepted : 2015.04.13
  • Published : 2015.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

A software birthmark is the set of characteristics of a program which can be used to identify the program. Many researchers have studied on detecting theft of java programs using some birthmarks. In case of Android apps, code obfuscation techniques are used to protect the apps against reverse-engineering and tampering. However, attackers can also use the obfuscation techniques in order to conceal a stolen program. A birthmark (feature) of an app can be alterable by code obfuscations. Therefore, it is necessary to detect Android app theft based on the birthmark which is resilient to code obfuscation. In this paper, we propose an effective Android app birthmark and app theft detection through the proposed birthmark. By analyzing some obfuscation tools, we have first selected parameter and the return types of methods as an adequate birthmark. Then, we have measured similarity of target apps using the birthmarks extracted from the apps, where some target apps are not obfuscated and the others obfuscated. The measurement results show that our proposed birthmark is effective for detecting Android app theft even though the apps are obfuscated.

소프트웨어 버스마크는 한 프로그램이 보유한 고유한 특징으로 해당 프로그램을 식별하는데 사용될 수 있다. 소프트웨어 버스마크 기반으로 자바 프로그램의 도용을 탐지하는 연구들이 진행되어 왔다. 안드로이드 앱의 경우, 앱 보호를 위해 난독화 방법이 제공되고 있다. 그러나 공격자들도 자신이 도용한 프로그램을 감추기 위해 난독화를 적용하기도 한다. 특정 앱에 난독화를 적용하면 앱의 특징정보가 변경될 수 있다. 따라서 난독화를 고려한 버스마크 기반의 앱 도용 탐지 기법에 대한 연구가 필요하다. 본 논문에서는 난독화에 강인한 안드로이드 앱 버스마크 및 이에 기반한 앱 도용 탐지 기법을 제안한다. 몇몇 난독화 도구들을 분석하여 효과적인 버스마크로 메서드의 매개변수 및 반환값의 자료형을 선정하였고, 비교 대상 앱들로부터 해당 버스마크를 추출하여 이들 간의 유사도를 측정하였다. 여러 앱들을 대상으로 난독화 적용 전/후의 앱 유사성을 분석한 결과, 제안한 버스마크가 난독화가 적용된 앱에 대한 도용 탐지에도 효과적임을 확인하였다.

Keywords

References

  1. C. Davies, 95% Android game piracy experience highlights app theft challenge, Retrieved May, 15, 2013, from http://www. slashgear.com/95-android-game-piracy-experie nce-highlights-app-theft-challenge-15282064/
  2. D. Seo, Smart phone apps plagiarism warning, Retrieved Mar. 22, 2010, from http://www.etnews.com/201003190142
  3. H. Park, S. Choi, S. Seo, and T. Han, "Analyzing differences of binary executable files using program structure and constant values," J. KIISE : Software and Appl., vol. 35, no. 7, pp. 452-461, Jul. 2008.
  4. H. Tamada, K. Okamoto, M. Nakamura, A. Monden, and K. Matsumoto, "Dynamic software birthmarks to detect the theft of windows applications," in Proc. Int. Symp. Future Software Technol. 2004 (ISFST 2004), vol. 20, no. 22, Oct. 2004.
  5. D. Schuler and V. Dallmeier, "Detecting software theft with API call sequence Sets," in Proc. 8th Workshop Software Reengineering, May 2006.
  6. G. Myles and C. Collberg, "Detecting software theft via whole program path birthmarks," in Proc. Inf. Security Conf., vol. 3225, pp 404-415, Sept. 2004.
  7. X. Zhou, X. Sun, G. Sun, and Y. Yang, "A combined static and dynamic software birthmark based on component dependence graph," in Proc. 4th Int. Conf. Intell. Inf. Hiding and Multimedia Signal Process. (IIH-MSP), pp. 1416-1421, Aug. 2008.
  8. D. Kim, S. Cho, S. Han, M. Park, and I. You, "Open source software detection using function-level static software birthmark," J. Internet Services and Inf. Security (JISIS), vol. 4, no. 4, pp. 25-37, Nov. 2014. https://doi.org/10.22667/JISIS.2014.11.31.025
  9. D. Kim, Y. Han, S. Cho, H. Yoo, J, Woo, Y. Nah, M. Park, and L. Chung, "Measuring similarity of windows applications using static and dynamic birthmarks," in Proc. ACM Symp. Applied Computing (2013 SAC), pp. 1628-1633, Mar. 2013.
  10. G. Myles and C. Collberg, "k-gram based software birthmarks," in Proc. ACM Symp. Applied Computing (2005 SAC), pp. 314-318, Mar. 2005.
  11. J. Ko, H. Shim, D. Kim, Y. Jeong, S. Cho, M. Park, S. Han, and S. Kim, "Measuring similarity of android applications via reversing and K-gram birthmarking," in Proc. Research in Adaptive and Convergent Syst. (2013 RACS), pp. 336-341, Oct. 2013.
  12. J. Ko, S. Kang, J. Moon, D. Kim, and S. Cho, "A study on comparing similarity of android applications based on dex," J. The Korea Software Assesment and Valuation Soc., vol. 9, no. 1, Jun. 2013.
  13. H. Park, "An android birthmark based on API k-gram," KIPS Trans. Comput. Commun. Syst. (KTCCS), vol. 2, no. 4, pp. 177-180, Apr. 2013. https://doi.org/10.3745/KTCCS.2013.2.4.177
  14. C. S. Collberg and C. Thomborson, "Watermarking, tamper-proofing, and obfuscation-tools for software protection," IEEE Trans. Software Eng., vol. 28 no. 8, Aug. 2002.
  15. Proguard, http://developer.android.com/tools/h elp/proguard.html
  16. Dexguard, https://www.saikoa.com/dexguard
  17. Dex Protector, http://dexprotector.com
  18. Y. Piao, J. Jung, and J. Yi, "Structural and functional analysis of ProGuard obfuscation tool," J. KICS, vol. 38, no. 08, pp. 654-662, Aug. 2013.
  19. H. Lim, "Comparing binary programs using approximate matching of k-grams," J. KIISE : Computing Practices and Lett., vol. 18, no. 4, pp. 288-299, Apr. 2012.
  20. Y. Bai, X. Sun, G. Sun, X. Deng, and X. Zhou, "Dynamic k-gram based software birthmark," in Proc. 19th Australian Conf. Software Eng. (ASWEC 2008), pp. 644-649, Mar. 2008.
  21. A system for detecting software plagiarism - MOSS, [online] http://theory.stanford.edu/-aike n/moss