Protecting million-user iOS apps with obfuscation: Motivations, pitfalls, and experience

Pei Wang, Dinghao Wu, Zhaofeng Chen, Tao Wei

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Scopus citations

Abstract

In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now fairly common that a mobile app serves a large number of users across the globe. Different from web-based services whose important program logic is mostly placed on remote servers, many mobile apps require complicated client-side code to perform tasks that are critical to the businesses. The code of mobile apps can be easily accessed by any party after the software is installed on a rooted or jailbroken device. By examining the code, skilled reverse engineers can learn various knowledge about the design and implementation of an app. Real-world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app-provided services for unrightful profits, leading to significant financial losses for app vendors. One of the most viable mitigations against malicious reverse engineering is to obfuscate the software before release. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. Our report can benefit many stakeholders in the iOS ecosystem, including developers, security service providers, and Apple as the administrator of the ecosystem.

Original languageEnglish (US)
Title of host publicationProceedings 2018 ACM/IEEE 40th International Conference on Software Engineering
Subtitle of host publicationSoftware Engineering in Practice, ICSE-SEIP 2018
PublisherIEEE Computer Society
Pages235-244
Number of pages10
ISBN (Electronic)9781450356596
DOIs
StatePublished - May 27 2018
Event40th ACM/IEEE International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2018 - Gothenburg, Sweden
Duration: May 27 2018Jun 1 2018

Publication series

NameProceedings - International Conference on Software Engineering
ISSN (Print)0270-5257

Other

Other40th ACM/IEEE International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2018
Country/TerritorySweden
CityGothenburg
Period5/27/186/1/18

All Science Journal Classification (ASJC) codes

  • Software

Fingerprint

Dive into the research topics of 'Protecting million-user iOS apps with obfuscation: Motivations, pitfalls, and experience'. Together they form a unique fingerprint.

Cite this