Abstract
App repackaging has been raising serious concerns about the health of the Android ecosystem, and repackage-proofing is an important mitigation against threat of such attacks. However, existing app repackage-proofing schemes were only evaluated against trivial adversaries simulated using analyzers for other purposes (e.g., disclosing privacy leakage vulnerabilities), hence were shown “effective” mainly because their key programming features were not even supported by those toolkits. Furthermore, existing works have also neglected dynamic adversaries capable of manipulating victim apps at runtime, making them vulnerable against such stronger opponents. In this article, we propose a novel repackage-proofing framework, which deploys distributed detection and response sites into the subject app's native partition to cross-verify all its code files. The detection sites transmit obtained integrity metrics to response sites via secure communication channels built on the subject app's own control flows using a specialized obfuscation technique based on Collatz conjecture, turning the repackage-proofing process into complicated implicit flows that are intrinsically difficult to be resolved due to the conjecture's nonlinear dynamical behaviors. We evaluated our framework using sophisticated Android data-flow analyzers. Results showed that our prototype effectively impeded analyses aiming to trace the information flows of its cross-verification.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
More From: IEEE Transactions on Dependable and Secure Computing
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.