TY - GEN
T1 - Protecting million-user iOS apps with obfuscation
T2 - 40th ACM/IEEE International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2018
AU - Wang, Pei
AU - Wu, Dinghao
AU - Chen, Zhaofeng
AU - Wei, Tao
N1 - Publisher Copyright:
© 2018 ACM.
PY - 2018/5/27
Y1 - 2018/5/27
N2 - In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now fairly common that a mobile app serves a large number of users across the globe. Different from web-based services whose important program logic is mostly placed on remote servers, many mobile apps require complicated client-side code to perform tasks that are critical to the businesses. The code of mobile apps can be easily accessed by any party after the software is installed on a rooted or jailbroken device. By examining the code, skilled reverse engineers can learn various knowledge about the design and implementation of an app. Real-world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app-provided services for unrightful profits, leading to significant financial losses for app vendors. One of the most viable mitigations against malicious reverse engineering is to obfuscate the software before release. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. Our report can benefit many stakeholders in the iOS ecosystem, including developers, security service providers, and Apple as the administrator of the ecosystem.
AB - In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now fairly common that a mobile app serves a large number of users across the globe. Different from web-based services whose important program logic is mostly placed on remote servers, many mobile apps require complicated client-side code to perform tasks that are critical to the businesses. The code of mobile apps can be easily accessed by any party after the software is installed on a rooted or jailbroken device. By examining the code, skilled reverse engineers can learn various knowledge about the design and implementation of an app. Real-world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app-provided services for unrightful profits, leading to significant financial losses for app vendors. One of the most viable mitigations against malicious reverse engineering is to obfuscate the software before release. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. Our report can benefit many stakeholders in the iOS ecosystem, including developers, security service providers, and Apple as the administrator of the ecosystem.
UR - http://www.scopus.com/inward/record.url?scp=85049684136&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85049684136&partnerID=8YFLogxK
U2 - 10.1145/3183519.3183524
DO - 10.1145/3183519.3183524
M3 - Conference contribution
AN - SCOPUS:85049684136
T3 - Proceedings - International Conference on Software Engineering
SP - 235
EP - 244
BT - Proceedings 2018 ACM/IEEE 40th International Conference on Software Engineering
PB - IEEE Computer Society
Y2 - 27 May 2018 through 1 June 2018
ER -