ABSTRACT
With increased popularity and wide adoption of smartphones and mobile devices, recent years have seen a new burgeoning economy model centered around mobile apps. However, app repackaging, among many other threats, brings tremendous risk to the ecosystem, including app developers, app market operators, and end users. To mitigate such threat, we propose and develop a watermarking mechanism for Android apps. First, towards automatic watermark embedding and extraction, we introduce the novel concept of manifest app, which is a companion of a target Android app under protection. We then design and develop a tool named AppInk, which takes the source code of an app as input to automatically generate a new app with a transparently-embedded watermark and the associated manifest app. The manifest app can be later used to reliably recognize embedded watermark with zero user intervention. To demonstrate the effectiveness of AppInk in preventing app repackaging, we analyze its robustness in defending against distortive, subtractive, and additive attacks, and then evaluate its resistance against two open source repackaging tools. Our results show that AppInk is easy to use, effective in defending against current known repackaging threats on Android platform, and introduces small performance overhead.
- Domenico Amalfitano, Anna Rita Fasolino, Porfirio Tramontana, Salvatore De Carmine, and Atif M. Memon. Using GUI Ripping for Automated Testing of Android Applications. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, ASE 2012, pages 258--261, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- Saswat Anand, Mayur Naik, Hongseok Yang, and Mary Jean Harrold. Automated Concolic Testing of Smartphone Apps. In ACM International Symposium on Foundations of Software Engineering, FSE, 2012. Google ScholarDigital Library
- Jien-Tsai Chan and Wuu Yang. Advanced Obfuscation Techniques for Java Bytecode. J. Syst. Softw., 71(1-2):1--10, April 2004. Google ScholarDigital Library
- Christian Collberg, Edward Carter, Saumya Debray, Andrew Huntwork, John Kececioglu, Cullen Linn, and Michael Stepp. Dynamic Path-based Software Watermarking. In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation, PLDI '04, pages 107--118, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- Christian Collberg, Ginger Myles, and Andrew Huntwork. SandMark - A Tool for Software Protection Research. IEEE Security and Privacy, Vol. 1, Num. 4, July/Auguest 2003. Google ScholarDigital Library
- Christian Collberg and Clark Thomborson. Software Watermarking: Models and Dynamic Embeddings. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '99, pages 311--324, New York, NY, USA, 1999. ACM. Google ScholarDigital Library
- Christian Collberg, Clark Thomborson, and Douglas Low. Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '98, pages 184--196, New York, NY, USA, 1998. ACM. Google ScholarDigital Library
- Jonathan Crussell, Clint Gibler, and Hao Chen. Attack of the Clones: Detecting Cloned Applications on Android Markets. In 17th European Symposium on Research in Computer Security, ESORICS 2012, September 2012.Google Scholar
- Mila Dalla Preda and Roberto Giacobazzi. Control Code Obfuscation by Abstract Interpretation. In Proceedings of the Third IEEE International Conference on Software Engineering and Formal Methods, SEFM '05, pages 301--310, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
- DalvikVM.com. Dalvik Virtual Machine - Brief Overview of the Dalvik Virtual Machine and Its Insights. http://www.dalvikvm.com/. Online; accessed at Nov 30, 2012.Google Scholar
- FITTEST. M{agi}C Tool: M*C Test Generation Tool. http://selab.fbk.eu/magic/. Online; accessed at Dec 1, 2012.Google Scholar
- Kazuhide Fukushima and Kouichi Sakurai. A Software Fingerprinting Scheme for Java Using Classfiles Obfuscation. In Ki-Joon Chae and Moti Yung, editors, Information Security Applications, volume 2908 of Lecture Notes in Computer Science, pages 303--316. Springer Berlin Heidelberg, 2004.Google Scholar
- Dan Galpin and Trevor Johns. Evading Pirates and Stopping Vampires Using License Verification Library, In-App Billing, and App Engine. http://www.google.com/events/io/2011/sessions/evading-pirates-and-stopp%ing-vampires-using-license-verification-library-in-app-billing-and-app-engine.%html. Online; accessed at Nov 30, 2012.Google Scholar
- Rakesh Ghiya and Laurie J. Hendren. Is It a Tree, a DAG, or a Cyclic Graph? A Shape Analysis for Heap-directed Pointers in C. In Proceedings of the 23rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '96, pages 1--15, New York, NY, USA, 1996. ACM. Google ScholarDigital Library
- Dieter Habelitz. Java 1.5 Grammar for ANTLR v3 That Builds Trees. http://www.antlr.org/grammar/1207932239307/Java1_5Grammars. Online; accessed at Nov 30, 2012.Google Scholar
- Steve Hanna, Ling Huang, Saung Li, Charles Chen, and Dawn Song. Juxtapp: A Scalable System for Detecting Code Reuse Among Android Applications. In 9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA 2012, July 2012. Google ScholarDigital Library
- Google Inc. Android Application Licensing. http://developer.android.com/guide/google/play/licensing/index.html. Online; accessed at Nov 30, 2012.Google Scholar
- Google Inc. Android Debug Bridge. http://developer.android.com/tools/help/adb.html. Online; accessed at Nov 30, 2012.Google Scholar
- Google Inc. Android Emulator. http://developer.android.com/tools/help/emulator.html. Online; accessed at Nov 30, 2012.Google Scholar
- Google Inc. Building and Running Android App from Command Line. http://developer.android.com/tools/building/building-cmdline.html. Online; accessed at Nov 30, 2012.Google Scholar
- Google Inc. Testing Fundamental | Android Developers. http://developer.android.com/tools/testing/testing_android.html. Online; accessed at Nov 30, 2012.Google Scholar
- Google Inc. UI/Application Exerciser Monkey. http://developer.android.com/tools/help/monkey.html. Online; accessed at Nov 30, 2012.Google Scholar
- Lookout Inc. App Genome Report: February 2011. https://www.mylookout.com/appgenome/. Online; accessed at Nov 30, 2012.Google Scholar
- Oracle Inc. Java Debug Interface. http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdi/. Online; accessed at Nov 30, 2012.Google Scholar
- Saikoa Inc. A Specialized Optimizer and Obfuscator for Android. http://www.saikoa.com/dexguard. Online; accessed at Nov 30, 2012.Google Scholar
- Yiming Jing, Gail-Joon Ahn, and Hongxin Hu. Model-Based Conformance Testing for Android. In Goichiro Hanaoka and Toshihiro Yamauchi, editors, Advances in Information and Computer Security, volume 7631 of Lecture Notes in Computer Science, pages 1--18. Springer Berlin Heidelberg, 2012.Google Scholar
- Seolwoo Joo and Changyeon Hwang. Mobile Banking Vulnerability: Android Repackaging Threat. Virus Bulletin, May 2012.Google Scholar
- Donald Knuth. Fundamental Algorithms, Volume 1 of The Art of Computer Programming, Third Edition. Addison-Wesley, 1997.Google Scholar
- Eric Lafortune. ProGuard. http://proguard.sourceforge.net/. Online; accessed at Nov 30, 2012.Google Scholar
- Lohan+. AntiLVL - Android License Verification Library Subversion. http://androidcracking.blogspot.com/p/antilvl_01.html. Online; accessed at Nov 30, 2012.Google Scholar
- Lohan+. Cracking Amazon DRM. http://androidcracking.blogspot.com/2011/04/cracking-amazon-drm.html. Online; accessed at Nov 30, 2012.Google Scholar
- Lohan+. Cracking Verizon's V Cast Apps DRM. http://androidcracking.blogspot.com/2011/06/cracking-verizons-v-cast-apps-drm.html. Online; accessed at Nov 1, 2012.Google Scholar
- Riyadh Mahmood, Naeem Esfahani, Thabet Kacem, Nariman Mirzaei, Sam Malek, and Angelos Stavrou. A Whitebox Approach for Automated Security Testing of Android Applications on the Cloud. In Proceedings of the 7th International Workshop on Automation of Software Test, AST 2012, 2012.Google Scholar
- Atif M. Memon. An event-flow model of GUI-based applications for testing: Research Articles. Softw. Test. Verif. Reliab., 17(3):137--157, September 2007. Google ScholarDigital Library
- Akito Monden, Hajimu Iida, Ken-ichi Matsumoto, Koji Torii, and Katsuro Inoue. A Practical Method for Watermarking Java Programs. In 24th International Computer Software and Applications Conference, COMPSAC '00, pages 191--197, Washington, DC, USA, 2000. IEEE Computer Society. Google ScholarDigital Library
- Jasvir Nagra and Clark Thomborson. Threading Software Watermarks. In Proceedings of the 6th International Conference on Information Hiding, IH'04, pages 208--223, Berlin, Heidelberg, 2004. Springer-Verlag. Google ScholarDigital Library
- Jasvir Nagra, Clark Thomborson, and Christian Collberg. A Functional Taxonomy for Software Watermarking. In Proceedings of the Twenty-fifth Australasian Conference on Computer Science - Volume 4, ACSC '02, pages 177--186, Darlinghurst, Australia, Australia, 2002. Australian Computer Society, Inc. Google ScholarDigital Library
- Cu D. Nguyen, Alessandro Marchetto, and Paolo Tonella. Combining Model-based and Combinatorial Testing for Effective Test Case Generation. In Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, pages 100--110, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- Jens Palsberg, Sowmya Krishnaswamy, Minseok Kwon, Di Ma, Qiuyun Shao, and Yi Zhang. Experience with Software Watermarking. In Proceedings of the 16th Annual Computer Security Applications Conference, ACSAC '00, pages 308--, Washington, DC, USA, 2000. IEEE Computer Society. Google ScholarDigital Library
- Terence Parr. ANTLR - ANother Tool for Language Recognition. http://www.antlr.org/. Online; accessed at Nov 30, 2012.Google Scholar
- Android Police. {Updated: Amazon Provides Clarifications} Amazon App Store's DRM To Be More Restrictive Than Google's? http://www.androidpolice.com/2011/03/07/amazon-app-stores-drm-to-be-mor%e-restrictive-than-googles/. Online; accessed at Nov 30, 2012.Google Scholar
- Rahul Potharaju, Andrew Newell, Cristina Nita-Rotaru, and Xiangyu Zhang. Plagiarizing Smartphone Applications: Attack Strategies and Defense Techniques. In Proceedings of the 4th International Conference on Engineering Secure Software and Systems, ESSoS'12, pages 106--120, Berlin, Heidelberg, 2012. Springer-Verlag. Google ScholarDigital Library
- Todd A. Proebsting and Scott A. Watterson. Krakatoa: Decompilation in Java (Does Bytecode Reveal Source?). In In Third USENIX Conference on Object-Oriented Technologies and Systems (COOTS), 1997. Google ScholarDigital Library
- Google Code Project. Android-apktool - Tool for Reengineering Android apk Files. http://code.google.com/p/android-apktool/. Online; accessed at Nov 30, 2012.Google Scholar
- G. Ramalingam. The Undecidability of Aliasing. ACM Trans. Program. Lang. Syst., 16(5):1467--1471, September 1994. Google ScholarDigital Library
- Renas Reda. Robotium. http://code.google.com/p/robotium/. Online; accessed at Nov 30, 2012.Google Scholar
- Tommi Takala, Mika Katara, and Julian Harty. Experiences of System-Level Model-Based GUI Testing of an Android Application. In Proceedings of the 4th IEEE International Conference on Software Testing, Verification, and Validation (ICST 2011), pages 377--386, Los Alamitos, CA, USA, March 2011. IEEE Computer Society. Google ScholarDigital Library
- Arxan Technologies. State of Security in the App Economy: Mobile Apps Under Attack. http://www.arxan.com/assets/1/7/state-of-security-app-economy.pdf, 2012.Google Scholar
- Paul R. Wilson, Mark S. Johnstone, Michael Neely, and David Boles. Dynamic Storage Allocation: A Survey and Critical Review. In Proceedings of the International Workshop on Memory Management, IWMM '95, pages 1--116, London, UK, UK, 1995. Springer-Verlag. Google ScholarDigital Library
- Rubin Xu, Hassen Saıdi, and Ross Anderson. Aurasium: Practical Policy Enforcement for Android Applications. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 27--27, Berkeley, CA, USA, 2012. USENIX Association. Google ScholarDigital Library
- Min Zheng, Patrick P.C. Lee, and John C.S. Lui. ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-Virus Systems . In Proceedings of the 9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, 2012. Google ScholarDigital Library
- Wu Zhou, Yajin Zhou, Michael Grace, Xuxian Jiang, and Shihong Zou. Fast, Scalable Detection of Piggybacked Mobile Applications. In Proceedings of the 3nd ACM Conference on Data and Application Security and Privacy, CODASPY '13, February 2013. Google ScholarDigital Library
- Wu Zhou, Yajin Zhou, Xuxian Jiang, and Peng Ning. DroidMOSS: Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy, CODASPY '12, February 2012. Google ScholarDigital Library
- Yajin Zhou and Xuxian Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, Oakland 2012, May 2012. Google ScholarDigital Library
Index Terms
- AppInk: watermarking android apps for repackaging deterrence
Recommendations
Fast, scalable detection of "Piggybacked" mobile applications
CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacyMobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create ...
Droidmarking: resilient software watermarking for impeding android application repackaging
ASE '14: Proceedings of the 29th ACM/IEEE International Conference on Automated Software EngineeringSoftware plagiarism in Android markets (app repackaging) is raising serious concerns about the health of the Android ecosystem. Existing app repackaging detection techniques fall short in detection efficiency and in resilience to circumventing attacks; ...
VirtualSwindle: an automated attack against in-app billing on android
ASIA CCS '14: Proceedings of the 9th ACM symposium on Information, computer and communications securitySince its introduction, Android's in-app billing service has quickly gained popularity. The in-app billing service allows users to pay for options, services, subscriptions, and virtual goods from within mobile apps themselves. In-app billing is ...
Comments