UoABuddyApp

Project Profile Project Title UoABuddyApp Group & Members Group-12 Haroon Mohan Sadiq Shamili Suzzie Zeeshan Front-End Android Studio Back-End Azure API + SQL Database Language Java, C# Department Computer Science University University of Auckland

Intro Scope UoABuddyApp is a mentor-student pairing application Students can register as volunteers & newbies Volunteers can assist new joinees Scope New students find difficult to adapt to the new environment, a resolution for this subject is UoABuddyApp UoABuddyApp is an application for helping the new students in their knowhow of the university with the guidance of senior students of the university

Interface

Interface(cont.)

Interface(cont.)

Obfuscation techniques Overall obfuscation procedure consists of 4 obfuscation techniques String-image obfuscation Control flow Block insertions Pro-guard obfuscation Smali assembly-level obfuscation Incorporate both data and control flow obfuscation procedures

String-Image obfuscation Data & Control flow obfuscation technique Pre-compilation obfuscation technique Similar to Steganography Embed string data (ASCII) onto an image Reconstruct strings from image at runtime A manual & automatic (via scripts) obfuscation Pre-compilation obfuscation technique – which implies that the technique must be incorporated on top of the existing app source code Example of steganography-as-obfuscation since we are hiding information in plain sight (as an image) within the application resources First embed strings onto an image by writing each characters’ ASCII value on each pixel of the image (in column order) Once we have written all the string data to the image, we then reconstruct the strings at run-time by extracting the characters’ ASCII value from the pixels of the image We only obfuscated the API endpoints to the backend which the UOABuddyApp connects to also preference keys under which data is stored

String-Image obfuscation First we store the sensitive strings line-by-line into the “input.txt” file The user then runs the “generate_image.py” python script, this script reads the strings within input text file and generates an image (which incorporates the string data) The generated image is then moved to the applications resource folder You extract the string data from the image at runtime, we have provided a method which can do this The method returns the list of ordered strings which the user had written to the input text file The indexes of the list are then assigned to the variables – therefore hiding the values of sensitive strings

Control Flow Block (CFB) Insertion Control Flow obfuscation Pre-compilation obfuscation technique Randomized Insertion of if-else and try-catch blocks If statements always compute to false via opaque predicates Original program logic is wrapped within these blocks Automated technique Also a pre-compilation technique which is applied to the application source code before the APK is built Control flow obfuscation in which we insert “if-statements” and “try-catch” blocks that change the flow of original application The inserted control flow blocks (CBFs) always compute to a false condition via the use of false opaque predicates Original logic remains the same since its wrapped within these statements Control Flow blocks inserted within the opening and closing braces of methods and statements We automate the insertion by using a script which locates the 2nd opening brace within a file and from then on, inserts a CFB after each consecutive opening braces It may be easy for reverse-engineer to identify patterns in the placements of CFBs To make this difficult, the obfuscation technique is implemented such that each CFB is inserted in random order every time the script is run on a java file This means that if you run the script on 2 identical java files, the respective outputs of those files will be different

Control Flow Block (CFB) - Implementation Compile false_condition.java Run script with files as input parameters * Backup your files

Proguard Obfuscation Basic obfuscation technique available within Android Studio Also a code/application optimizer Limited support for 3rd party libraries Basic obfuscation technique which is commonly used to obfuscate android apps since it is available for use within the Android Studio IDE We did not develop this – only utilize this within our app Only need to switch a variable to true – to use this Proguard also optimizes the source code of the app, which in turn significantly reduces the app size by removing redundant code If an application uses third-party libraries, then Proguard will have issues obfuscating (and optimizing) them, thus the developer may be required to create rules This can be done by modifying the “proguard-rules.pro file”

Smali assembly level obfuscation Smali assembly level modification Post compilation obfuscation technique The final control flow obfuscation technique which we used to obfuscate our application is modification at the “Smali” level Post- compilation obfuscation technique; therefore, it can be applied onto ALL applications after they have been compiled to an APK In this technique we decompile an APK into lower level Smali files using APKTool[9], then we modify these Smali files and recompile them into the APK By decompiling to Smali, the vital App information is still retained – as opposed to decompiling to java files from which this information is lost

Smali modification - implementation We decompiled the APK into the corresponding Smali files by using APKTool, we then modified the Smali files by inserting “goto” statements at the start and before the end of each method The goto statement at the start of each method were directed to the goto statement at the end of the method, this goto statement then re-directed the control flow back to the top of the method which disrupted the normal control flow of the program We produced a script which automates this procedure The goto’s require a label to jump to (as shown in Fig-5), they could potentially be anything but they cannot be reused We randomly generated a number and appended it to a string to generate the unique labels We then signed the recompiled APK to prevent invalid certificate errors

Smali modification - implementation (2)

Evaluation Obfuscating the code has its impact on the performance of the app. In data obfuscation, changing the names of the variables does not make a huge difference in the performance. Inserting new pieces of code in control flow obfuscation results in the change in performance. The obfuscated code should not only be hard to reverse engineer, but should not disrupt the performance of the app by much.

String-to-image overhead Uses both data and control flow techniques. Calculated the size of the APK before and after this obfuscation technique. Original logic overhead: 100,000 – 300,000 nanoseconds Execution time overhead: 1,000,000 – 3,000,000 nanoseconds Space/storage overhead: +1000 bytes Significant execution time overhead and space/storage overhead when using this obfuscation technique due to data extraction and conversion.

Control-Flow-Block insertion overhead Redundant codes which always execute to false were inserted. Variations in run time were due to computational intensity of the try-catch blocks. No change in execution times and neither was there a space overhead.

Proguard overhead Data and control flow technique that adds least overhead. No changes in run time was observed Minimizes code by removing all the recourses that are not used. App size before Proguard: 2.38 MB App size after Proguard: 1.58 MB

Smali assembly level obfuscation overhead Altering the control flow by inserting goto statements. Addition of few smali instructions would not have noticeable impact. No changes in execution time but increase in the app size. App size after Smali modification and recompilation: 1.63 MB Not because of the technique, because of recompilation.

Limitations Consider How usable the techniques are for app development? How easy/difficult to reverse engineering the obfuscated app? Address potential improvements for each obfuscation techniques

String-To-Image Obfuscation This technique is not straightforward Usability Require manual alterations to the source-code Effort vs protection provided Lack protection on the strings Improvement Additional encryption and encoding on the strings

Control-Flow-Block (CFB) Insertion Lacking randomization with opaque predicates Usability Decrease code-readability Ineffective and prevent compilation in some cases Improvement Fair degree of wrapping within various statement blocks Insert commented-labels or pointer Detect presence of enum

Proguard Usability Improvement Limited support of 3rd party libraries Customise Proguard rules Unable to obfuscate serialization strings Improvement Reduce usage of 3rd party libraries

Smali assembly level obfuscation Usability Basic function wrapping at lower level Improvement Incorporate Smali logic of our CFB insertion Automate packed-switch approach

Overall Obfuscation Limitation Our project focused primary on static analysis Hacker can utilise dynamic analysis technique Attach debuggers Improve against both static and dynamic analysis

Reverse Engineering •Dex2jar •JD-GUI •DeGuard •Java decompiler Dex2jar to decompile the APK. •JD-GUI To view the decompiled apk files. •DeGuard Reverses the process of obfuscation performed by android obfuscation tools. •Java decompiler Performs similar task as Dex2jar

if (Math.random() * 20.0D > 10.0D) {} Examples •String Obfuscation: •Control flow Obfuscation: if (Math.random() * 20.0D > 10.0D) {} int i = 0; while (i != -1)

Examples(Cont.) •Data obfuscation: Public List<c0624d> m3020a(){ Return (List) m3018a(m3019a(new int[]{15711}, this.f1930a));} •Most of the teams listed in the table have used ProGuard tool for class, methods, variable name obfuscation.

Group 1 Dice •String encryption •Control flow(Opaque predicate). Group 2 MySecret secrets •Data Obfuscation Group 4 CryptoMe •String Encryption. •Control Flow (Opaque predicate). •Layout Obfuscation •Proguard Obfuscation Group 5 There and Back again •String Encryption •Proguard obfuscation Group 6 Calories Calculator Group 7 Calorie Counter Group 8 Cash me •Opaque predicate.

Group 8 Cash me •Opaque predicate. •Proguard obfuscation. Group 9 Digi Receipt •String encryption •Methods names are encrypted( ProGuard). Group 10 Bus Tracker •Method names are encrypted(ProGuard) Group 11 Password Diary •Control flow (Opaque Predicate) •Data flow(Opaque predicate) Group 13 Drink Up •String Encryption •Method names are encrypted(ProGuard).