Repackage-Proofing Android Apps

Luo, Lannan; Fu, Yu; Wu, Dinghao; Zhu, Sencun; Liu, Peng

doi:10.1109/dsn.2016.56

Cited by 23 publications

(15 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…ViewDroid [23] applied a user interface-based birthmark, which is designed for user interaction intensive and event dominated programs, to detect smartphone application plagiarism. Luo et al [24] proposed a repackage-proofing method to protect Android apps.…”

Section: A Software Plagiarism Detectionmentioning

confidence: 99%

Deviation-Based Obfuscation-Resilient Program Equivalence Checking With Application to Software Plagiarism Detection

Jiang

Zhang

et al. 2016

IEEE Trans. Rel.

Self Cite

View full text Add to dashboard Cite

Software plagiarism, an act of illegally copying others' code, has become a serious concern for honest software companies and the open source community. Considerable research efforts have been dedicated to searching the evidence of software plagiarism. In this paper, we continue this line of research and propose LoPD, a deviation-based program equivalence checking approach, which is an ideal fit for the whole-program plagiarism detection. Instead of directly comparing the similarity between two programs, LoPD searches for any dissimilarity between two programs by finding an input that will cause these two programs to behave differently, either with different output states or with semantically different execution paths. As long as we can find one dissimilarity, the programs are semantically different; but if we cannot find any dissimilarity, it is more likely a plagiarism case. We leverage dynamic symbolic execution to capture the semantics of execution paths and to find path deviations. Compared to the existing detection approaches, LoPD's formal program semantics-based method is more resilient to automatic obfuscation schemes. Our evaluation results indicate that LoPD is effective in detecting whole-program plagiarism. Furthermore, we demonstrate that LoPD can be applied to partial software plagiarism detection as well. The encouraging experiment results show that LoPD is an appealing complement to existing software plagiarism detection approaches.Index Terms-Path deviation, program logic, semantical difference, software plagiarism, symbolic execution.

show abstract

Section: A Software Plagiarism Detectionmentioning

confidence: 99%

Deviation-Based Obfuscation-Resilient Program Equivalence Checking With Application to Software Plagiarism Detection

Jiang

Zhang

et al. 2016

IEEE Trans. Rel.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Therefore the guarded code cannot be decrypted and executed. Inserting checks in legitimate apps is promising for protecting Android apps from malware developers and has well been studied in the literature [42].…”

Section: Related Workmentioning

confidence: 99%

On The (In)Effectiveness of Static Logic Bomb Detection for Android Apps

Samhi

Bartel

2022

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Android is present in more than 85% of mobile devices, making it a prime target for malware. Malicious code is becoming increasingly sophisticated and relies on logic bombs to hide itself from dynamic analysis. In this paper, we perform a large scale study of TSOPEN, our open-source implementation of the state-of-the-art static logic bomb scanner TRIGGERSCOPE, on more than 500k Android applications. Results indicate that the approach scales. Moreover, we investigate the discrepancies and show that the approach can reach a very low false-positive rate, 0.3%, but at a particular cost, e.g., removing 90% of sensitive methods. Therefore, it might not be realistic to rely on such an approach to automatically detect all logic bombs in large datasets. However, it could be used to speed up the location of malicious code, for instance, while reverse engineering applications. We also present TRIGDB a database of 68 Android applications containing trigger-based behavior as a ground-truth to the research community.

show abstract

“…We test QEMU as it is one of the state-of-the-art emulators, which is well maintained and used by many industry tools (e.g., Android Studio) and academic prototypes [14,18,44,9,40,10,12,21,11,16,31]. However, EXAMINER can also be used to test the other emulators.…”

Section: Other Emulators and Architecturesmentioning

confidence: 99%

“…Nevertheless, software emulation complements the hardware-based tracing and provides rich functionalities that dynamic analysis systems can build upon. Indeed, many dynamic analysis frameworks [14,18,44,9,40,10,12,21,11,16,31,26,22] are built based on the state-of-the-art CPU emulator, i.e., QEMU, to conduct malware analysis, live-patching, crash analysis and etc. Meanwhile, many fuzzing tools utilize CPU emulators to fuzz binaries, e.g., the QEMU mode of AFL [2], FirmAFL [45], P2IM [15], HALucinator [13] and TriforceAFL [7].…”

Section: Introductionmentioning

confidence: 99%

Automatically Locating ARM Instructions Deviation between Real Devices and CPU Emulators

Jiang,

Xu,

Zhou

et al. 2021

Preprint

View full text Add to dashboard Cite

Emulator is widely used to build dynamic analysis frameworks due to its fine-grained tracing capability, full system monitoring functionality, and scalability of running on different operating systems and architectures. However, whether the emulator is consistent with real devices is unknown. To understand this problem, we aim to automatically locate inconsistent instructions, which behave differently between emulators and real devices. We target ARM architecture, which provides machine readable specification. Based on the specification, we propose a test case generator by designing and implementing the first symbolic execution engine for ARM architecture specification language (ASL). We generate 2,774,649 representative instruction streams and conduct differential testing with these instruction streams between four ARM real devices in different architecture versions (i.e., ARMv5, ARMv6, ARMv7-a, and ARMv8-a) and the state-of-the-art emulators (i.e., QEMU). We locate 155,642 inconsistent instruction streams, which cover 30% of all instruction encodings and 47.8% of the instructions. We find undefined implementation in ARM manual and implementation bugs of QEMU are the major causes of inconsistencies. Furthermore, we discover four QEMU bugs, which are confirmed and patched by the developers, covering 13 instruction encodings including the most commonly used ones (e.g., STR, BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

show abstract

Repackage-Proofing Android Apps

Cited by 23 publications

References 32 publications

Deviation-Based Obfuscation-Resilient Program Equivalence Checking With Application to Software Plagiarism Detection

Deviation-Based Obfuscation-Resilient Program Equivalence Checking With Application to Software Plagiarism Detection

On The (In)Effectiveness of Static Logic Bomb Detection for Android Apps

Automatically Locating ARM Instructions Deviation between Real Devices and CPU Emulators

Contact Info

Product

Resources

About