An Android Application Protection Scheme against Dynamic Reverse Engineering Attacks

Kyeonghwan Lim1, Younsik Jeong1, Seong-je Cho1, Minkyu Park2, and Sangchul Han2+
 

1Dept. of Computer Science and Engineering, Dankook University

Yongin, Gyeonggi 16890, South Korea
{limkh, jeongyousik, sjcho}@dankook.ac.kr

2Dept. of Computer Engineering, Konkuk University

Chungju, Chungbuk 27478, South Korea

{minkyup, schan}@kku.ac.kr

 

 

Abstract

Reverse engineering of Android applications is easy because the applications are written in the high level but simple bytecode language. Due to malicious reverse engineering attacks, many Android applications are tampered and repackaged into malicious applications. To protect Android applications from reverse engineering, many research studies have proposed and developed anti-reverse engineering techniques such as obfuscation, packing (packed executable), encryption, and anti-debugging. Obfuscation, packing and encryption are the defense techniques against static reverse engineering, which cannot prevent dynamic reverse engineering like memory dumping and runtime debugging. On the other hand, the existing defense techniques against dynamic reverse engineering have usually tried to protect applications by determining whether they are being executed on an emulation-based analysis environment and stopping their execution on the emulator. However, the protection techniques based on detecting the emulators become ineffective because attackers recently employ dynamic reverse engineering directly on real mobile devices. This paper presents a new protection scheme for Android applications against dynamic reverse engineering which can be applied on real mobile devices. Our scheme checks if a device on which the application is running is rooted and/or the application is being debugged. If so, our scheme stops the execution of the application. Our experiments demonstrate that the rooted/debugging environments detection techniques can be evaded by method hooking attacks and that the evasion attack, fortunately, can be detected by our scheme. One of the strength of our approach is that it is not implemented as a part of application’s source code but a separate executable. It can be applied to applications whose source code is not available.

Keywords: Application Protection, Reverse Engineering, Evasion Attack, Android, Rooting

 

+: Corresponding author: Sangchul Han
Department of Computer Engineering, Konkuk University, 268 Chungwondaero, Chungju-si,

Chungbuk-do, 27478, Korea, Tel: +82-43-840-3605

 

Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA)
Vol. 7, No. 3, pp. 40-52, September 2016 [pdf]