Application of Obfuscation Techniques on Android Applications By Ammar Bagasrawala, Hanzhi Wang, Jordan Wong, Jun Hao Xu, and Kevin Yu

Background Mobile devices are widely used in everyday life Applications for these devices can be distributed through their respective app store. Apps which aren’t properly protected and secured, can be a target of reverse engineering Reverse engineering refers to obtaining the source code Obfuscation is a technique which helps overcome this problem http://www.staticwhich.co.uk/media/images/trusted-trader/desktop-main/scanning-mobile-security-412514.jpg

Our Application The Android application we developed is a Bus Tracker Used the Auckland Transport API Several functions Search for a specific bus stop Favourite a bus stop Search for nearby stops Permissions ACCESS_FINE_LOCATION ACCESS_COARSE_LOCATION

Obfuscation Terms Control Flow Obfuscation Data Obfuscation Changing the control flow of the system so that it performs the required functionality but in an illogical manner. E.g. opaque predicates Data Obfuscation Obscuring the data in the program through techniques such as encryption and variable splitting Layout Obfuscation Modifying layout of the program, making code less intuitive. E.g. renaming variables and classes Design Obfuscation Obscuring the design of the system. E.g. splitting classes

Our Obfuscation Created an automated obfuscator Used Data Obfuscation Used Control Flow Obfuscation Used Layout Obfuscation

Data Obfuscation Masked each literal (String, int, double, long) by XORing with key Key generated from random number generator with seed Examples: string = "hello world"; string = lmao(new int[] { 193, 204, 197, 197, 198, 137, 222, 198, 219, 197, 205 }, z); int k = 5*9; int k = (172 ^ z) * (160 ^ z); double l = 7.56d; double l = (Double.longBitsToDouble(Double.doubleToRawLongBits(2.4133151069369105E- 306) ^ Double.doubleToRawLongBits((double) z)));

Control Flow Obfuscation Method bodies replaced with call to ‘execute’ method, containing a large switch statement Each statement is translated to an ‘instruction’ character Execute method takes a string of instruction characters Instructions are pushed on to a stack, then popped off one by one and given to switch statement to run the corresponding statements For if-else, try-catch, while, and for constructs, elements on the instruction stack are manipulated according to the condition

Evaluation Strength of our obfuscation Performance Overhead Storage Increased complexity of CFG Performance Overhead Method unobfuscated 10000 times: 6.265 ms Method obfuscated 10000 times 614.564 ms 98x slower Storage Unobfuscated 1014Kb Obfuscated 1025Kb 1.08% increase in size

Deobfuscation Tools DeGuard FernFlower Infers variable names Doesn’t decompile all files FernFlower Decompiles all files No deobfuscation performed

Data Deobfuscation Application includes a ‘decode’ method Identify the string or resource to decode, and the decode method, e.g. this.a.a is the decode method Attach debugger to running process Set breakpoint at method entry point When breakpoint is hit, use immediate window to evaluate the result of the decode method call Didn’t need to fully analyse data obfuscation logic

Control Flow Deobfuscation Rebuild project Used breakpoints Static manual analysis Noticed a lot of redundant methods Pseudo rebuilding Copy only the obfuscated parts into an IDE Fix the code to make it compilable and run it to see the order of execution for the statements

Resource Values Made script to invert mapping Mappings are stored in public.xml

Limitations Duplicate variable names Static variables Recursion Switch Exceptions Anonymous Inner Classes XORing is not very effective

Extensions Fix limitations Improve data obfuscation Improve performance https://d3n8a8pro7vhmx.cloudfront.net/votelibraries/pages/256/meta_images/original/iStock_nextsteps896502.jpg.800x600_q96.png?1489933510

Debugging & Updating Application Obfuscated application is quite difficult to step through and debug We propose a new obfuscator which creates a commented version of the app These comments indicate the original line number of each statement Updating the Application Currently the obfuscator needs to be manually run Use of Gradle can streamline the process Allows for the obfuscator to be automatically run

Obfuscation Techniques per Team Group Control Flow Data Layout Design G1   G2 G3 G4 G5 G6 G7 G8 G9 G11 G12 G13

Questions?