Protecting million-user iOS apps with obfuscation: motivations, pitfalls, and experience
作者: Pei Wang , Dinghao Wu , Zhaofeng Chen , Tao Wei
关键词: Exploit 、 Computer security 、 The Internet 、 Server 、 Software 、 Security service 、 Security through obscurity 、 Obfuscation 、 Computer science
摘要: In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now fairly common that a app serves large number users across globe. Different from web-based services whose important program logic mostly placed on remote servers, require complicated client-side code to perform tasks are critical businesses. The can be easily accessed by any party after software installed rooted or jailbroken device. By examining code, skilled reverse engineers learn various knowledge about design and implementation an app. Real-world cases shown disclosed information allows malicious parties abuse exploit app-provided for unrightful profits, leading significant financial losses vendors. One most viable mitigations against engineering obfuscate before release. Despite security obscurity typically considered unsound protection methodology, obfuscation indeed increase cost engineering, thus delivering practical merits protecting apps. this paper, we share our experience applying multiple commercial iOS apps, each which has millions users. We discuss necessity adopting modern business, challenges platform, efforts in overcoming these obstacles. Our report benefit stakeholders ecosystem, including developers, service providers, Apple as administrator ecosystem.
elsevier.com
acm.org
nsf.gov参考文章(32)
Fanglu Guo, Peter Ferrie, Tzi-cker Chiueh, A Study of the Packer Problem and Its Solutions recent advances in intrusion detection. pp. 98- 115 ,(2008) , 10.1007/978-3-540-87403-4_6
Saumya K. Debray, Gregory R. Andrews, Igor V. Popov, Binary obfuscation using signals usenix security symposium. pp. 19- ,(2007)
Stanley Chow, Yuan Gu, Harold Johnson, Vladimir A. Zakharov, An Approach to the Obfuscation of Control-Flow of Sequential Computer Programs international conference on information security. ,vol. 2200, pp. 144- 155 ,(2001) , 10.1007/3-540-45439-X_10
Sebastian Banescu, Alexander Pretschner, Martin Ochoa, A framework for measuring software obfuscation resilience against automated attacks Proceedings of the 1st International Workshop on Software Protection. pp. 45- 51 ,(2015) , 10.5555/2821429.2821442
Mariano Ceccato, Massimiliano Di Penta, Paolo Falcarin, Filippo Ricca, Marco Torchiano, Paolo Tonella, A family of experiments to assess the effectiveness and efficiency of source code obfuscation techniques Empirical Software Engineering. ,vol. 19, pp. 1040- 1074 ,(2014) , 10.1007/S10664-013-9248-X
Haibo Chen, Liwei Yuan, Xi Wu, Binyu Zang, Bo Huang, Pen-chung Yew, Control flow obfuscation with information flow tracking Proceedings of the 42nd Annual IEEE/ACM International Symposium on Microarchitecture - Micro-42. pp. 391- 400 ,(2009) , 10.1145/1669112.1669162
Jiang Ming, Dongpeng Xu, Li Wang, Dinghao Wu, LOOP: Logic-Oriented Opaque Predicate Detection in Obfuscated Binary Code computer and communications security. pp. 757- 768 ,(2015) , 10.1145/2810103.2813617
Guillaume Bonfante, Jose Fernandez, Jean-Yves Marion, Benjamin Rouxel, Fabrice Sabatier, Aurélien Thierry, CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions computer and communications security. pp. 745- 756 ,(2015) , 10.1145/2810103.2813627
Kevin Coogan, Gen Lu, Saumya Debray, Deobfuscation of virtualization-obfuscated software Proceedings of the 18th ACM conference on Computer and communications security - CCS '11. pp. 275- 284 ,(2011) , 10.1145/2046707.2046739
Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, Brent Waters, Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits 2013 IEEE 54th Annual Symposium on Foundations of Computer Science. pp. 40- 49 ,(2013) , 10.1109/FOCS.2013.13