Server-based code obfuscation scheme for APK tamper detection

摘要

It is easy to decompile Android applications (or apps) owing to the structural characteristics of the app building process, but this ease makes them quite vulnerable to forgery or modification attacks. In particular, users may suffer direct financial loss if this vulnerability is exploited in security-critical private and business applications, such as online banking. One of the solutions to these problems is a code obfuscation technique. In this regard, DexGuard, which is based on ProGuard, which is integrated into the Android software development kit build system, has recently been introduced. Although DexGuard protects Android applications more effectively, an attacker is still able to analyze the hex code of a Dalvix Executable file. To resolve this weakness, we begin by analyzing the DexGuard tool from both a static and dynamic point of view. Our analysis reveals that DexGuard has some weaknesses. In this paper, we propose an obfuscation technique based on a client/server model with one-time secret key delivery using short message service or network protocol. The main concept is to store the core execute class file through obfuscation on the server, so when a program needs to execute core routines, it must request these routines from the server. In this way, we can protect Android apps from reverse engineering. Copyright (c) 2014 John Wiley & Sons, Ltd.