A framework for evaluating mobile app repackaging detection algorithms

Heqing Huang; Sencun Zhu; Peng Liu; Dinghao Wu

doi:10.1007/978-3-642-38908-5_13

A framework for evaluating mobile app repackaging detection algorithms

Heqing Huang, Sencun Zhu, Peng Liu, Dinghao Wu

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

60 Scopus citations

Abstract

Because it is not hard to reverse engineer the Dalvik bytecode used in the Dalvik virtual machine, Android application repackaging has become a serious problem. With repackaging, a plagiarist can simply steal others' code violating the intellectual property of the developers. More seriously, after repackaging, popular apps can become the carriers of malware, adware or spy-ware for wide spreading. To maintain a healthy app market, several detection algorithms have been proposed recently, which can catch some types of repackaged apps in various markets efficiently. However, they are generally lack of valid analysis on their effectiveness. After analyzing these approaches, we find simple obfuscation techniques can potentially cause false negatives, because they change the main characteristics or features of the apps that are used for similarity detections. In practice, more sophisticated obfuscation techniques can be adopted (or have already been performed) in the context of mobile apps. We envision this obfuscation based repackaging will become a phenomenon due to the arms race between repackaging and its detection. To this end, we propose a framework to evaluate the obfuscation resilience of repackaging detection algorithms comprehensively. Our evaluation framework is able to perform a set of obfuscation algorithms in various forms on the Dalvik bytecode. Our results provide insights to help gauge both broadness and depth of algorithms' obfuscation resilience. We applied our framework to conduct a comprehensive case study on AndroGuard, an Android repackaging detector proposed in Black-hat 2011. Our experimental results have demonstrated the effectiveness and stability of our framework.

Original language	English (US)
Title of host publication	Trust and Trustworthy Computing - 6th International Conference, TRUST 2013, Proceedings
Pages	169-186
Number of pages	18
DOIs	https://doi.org/10.1007/978-3-642-38908-5_13
State	Published - 2013
Event	6th International Conference on Trust and Trustworthy Computing, TRUST 2013 - London, United Kingdom Duration: Jun 17 2013 → Jun 19 2013

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	7904 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	6th International Conference on Trust and Trustworthy Computing, TRUST 2013
Country/Territory	United Kingdom
City	London
Period	6/17/13 → 6/19/13

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-642-38908-5_13

Cite this

Huang, H., Zhu, S., Liu, P., & Wu, D. (2013). A framework for evaluating mobile app repackaging detection algorithms. In Trust and Trustworthy Computing - 6th International Conference, TRUST 2013, Proceedings (pp. 169-186). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7904 LNCS). https://doi.org/10.1007/978-3-642-38908-5_13

@inproceedings{d5abddb1ec5a4bc8b4154036fa2036dc,

title = "A framework for evaluating mobile app repackaging detection algorithms",

abstract = "Because it is not hard to reverse engineer the Dalvik bytecode used in the Dalvik virtual machine, Android application repackaging has become a serious problem. With repackaging, a plagiarist can simply steal others' code violating the intellectual property of the developers. More seriously, after repackaging, popular apps can become the carriers of malware, adware or spy-ware for wide spreading. To maintain a healthy app market, several detection algorithms have been proposed recently, which can catch some types of repackaged apps in various markets efficiently. However, they are generally lack of valid analysis on their effectiveness. After analyzing these approaches, we find simple obfuscation techniques can potentially cause false negatives, because they change the main characteristics or features of the apps that are used for similarity detections. In practice, more sophisticated obfuscation techniques can be adopted (or have already been performed) in the context of mobile apps. We envision this obfuscation based repackaging will become a phenomenon due to the arms race between repackaging and its detection. To this end, we propose a framework to evaluate the obfuscation resilience of repackaging detection algorithms comprehensively. Our evaluation framework is able to perform a set of obfuscation algorithms in various forms on the Dalvik bytecode. Our results provide insights to help gauge both broadness and depth of algorithms' obfuscation resilience. We applied our framework to conduct a comprehensive case study on AndroGuard, an Android repackaging detector proposed in Black-hat 2011. Our experimental results have demonstrated the effectiveness and stability of our framework.",

author = "Heqing Huang and Sencun Zhu and Peng Liu and Dinghao Wu",

year = "2013",

doi = "10.1007/978-3-642-38908-5_13",

language = "English (US)",

isbn = "9783642389078",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "169--186",

booktitle = "Trust and Trustworthy Computing - 6th International Conference, TRUST 2013, Proceedings",

}

Huang, H, Zhu, S , Liu, P & Wu, D 2013, A framework for evaluating mobile app repackaging detection algorithms. in Trust and Trustworthy Computing - 6th International Conference, TRUST 2013, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7904 LNCS, pp. 169-186, 6th International Conference on Trust and Trustworthy Computing, TRUST 2013, London, United Kingdom, 6/17/13. https://doi.org/10.1007/978-3-642-38908-5_13

A framework for evaluating mobile app repackaging detection algorithms. / Huang, Heqing; Zhu, Sencun ; Liu, Peng et al.
Trust and Trustworthy Computing - 6th International Conference, TRUST 2013, Proceedings. 2013. p. 169-186 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7904 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - A framework for evaluating mobile app repackaging detection algorithms

AU - Huang, Heqing

AU - Zhu, Sencun

AU - Liu, Peng

AU - Wu, Dinghao

PY - 2013

Y1 - 2013

N2 - Because it is not hard to reverse engineer the Dalvik bytecode used in the Dalvik virtual machine, Android application repackaging has become a serious problem. With repackaging, a plagiarist can simply steal others' code violating the intellectual property of the developers. More seriously, after repackaging, popular apps can become the carriers of malware, adware or spy-ware for wide spreading. To maintain a healthy app market, several detection algorithms have been proposed recently, which can catch some types of repackaged apps in various markets efficiently. However, they are generally lack of valid analysis on their effectiveness. After analyzing these approaches, we find simple obfuscation techniques can potentially cause false negatives, because they change the main characteristics or features of the apps that are used for similarity detections. In practice, more sophisticated obfuscation techniques can be adopted (or have already been performed) in the context of mobile apps. We envision this obfuscation based repackaging will become a phenomenon due to the arms race between repackaging and its detection. To this end, we propose a framework to evaluate the obfuscation resilience of repackaging detection algorithms comprehensively. Our evaluation framework is able to perform a set of obfuscation algorithms in various forms on the Dalvik bytecode. Our results provide insights to help gauge both broadness and depth of algorithms' obfuscation resilience. We applied our framework to conduct a comprehensive case study on AndroGuard, an Android repackaging detector proposed in Black-hat 2011. Our experimental results have demonstrated the effectiveness and stability of our framework.

AB - Because it is not hard to reverse engineer the Dalvik bytecode used in the Dalvik virtual machine, Android application repackaging has become a serious problem. With repackaging, a plagiarist can simply steal others' code violating the intellectual property of the developers. More seriously, after repackaging, popular apps can become the carriers of malware, adware or spy-ware for wide spreading. To maintain a healthy app market, several detection algorithms have been proposed recently, which can catch some types of repackaged apps in various markets efficiently. However, they are generally lack of valid analysis on their effectiveness. After analyzing these approaches, we find simple obfuscation techniques can potentially cause false negatives, because they change the main characteristics or features of the apps that are used for similarity detections. In practice, more sophisticated obfuscation techniques can be adopted (or have already been performed) in the context of mobile apps. We envision this obfuscation based repackaging will become a phenomenon due to the arms race between repackaging and its detection. To this end, we propose a framework to evaluate the obfuscation resilience of repackaging detection algorithms comprehensively. Our evaluation framework is able to perform a set of obfuscation algorithms in various forms on the Dalvik bytecode. Our results provide insights to help gauge both broadness and depth of algorithms' obfuscation resilience. We applied our framework to conduct a comprehensive case study on AndroGuard, an Android repackaging detector proposed in Black-hat 2011. Our experimental results have demonstrated the effectiveness and stability of our framework.

UR - http://www.scopus.com/inward/record.url?scp=84884658330&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84884658330&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-38908-5_13

DO - 10.1007/978-3-642-38908-5_13

M3 - Conference contribution

AN - SCOPUS:84884658330

SN - 9783642389078

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 169

EP - 186

BT - Trust and Trustworthy Computing - 6th International Conference, TRUST 2013, Proceedings

T2 - 6th International Conference on Trust and Trustworthy Computing, TRUST 2013

Y2 - 17 June 2013 through 19 June 2013

ER -

Huang H, Zhu S , Liu P , Wu D. A framework for evaluating mobile app repackaging detection algorithms. In Trust and Trustworthy Computing - 6th International Conference, TRUST 2013, Proceedings. 2013. p. 169-186. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-38908-5_13

A framework for evaluating mobile app repackaging detection algorithms

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this