Professional Documents
Culture Documents
Obfuscate
public DBHelper(Context ctx) { public a(Context ctx) {
db = getWritableDatabase(); remain
b = getWritableDatabase();
} }
key semantic
information
Layout Obfuscation in Android
Non-descriptive
names
Security Challenges
class DBHelper extends SQLiteHelper { class a extends SQLiteHelper {
SQLiteDatabase db; SQLiteDatabase b;
Some names
Obfuscate
public DBHelper(Context ctx) Code Inspection
{ public a(Context ctx) {
db = getWritableDatabase(); remain
b = getWritableDatabase();
} }
Third-party Library Detection
Cursor execSQL(String str) { Cursor c(String str) {
return db.rawQuery(str); return b.rawQuery(str);
} … many others }
} Names provide }
key semantic
information
Layout Obfuscation in Android
Non-descriptive
names
key semantic
information
Layout Obfuscation in Android
Non-descriptive
names
key semantic
Yes, with roughly 80% accuracy!
information
www.apk-deguard.com
Released last week, so far: > 5K users > 5GB APKs
Reddit posts/comments
. . . Tweets
. . .
How Does DeGuard Work?
DeGuard: System Overview
class a extends SQLiteHelper { class DBHelper extends SQLiteHelper{
SQLiteDatabase b; SQLiteDatabase db;
public a(Context ctx) { Static MAP public DBHelper(Context ctx) {
Transform
}
b = getWritableDB(); analysis Inference }
db = getWritableDB();
} }
Learning Phase
Probabilistic model
! )
Open-source, Static
unobfuscated Training
analysis
applications
Semantic
representation
Probabilistic Graphical Models
Probabilistic Graphical Models
class a extends SQLiteHelper {
name1 name2 weight SQLiteDatabase b;
$% SQLiteHelper DBUtils 0.3 public a(Context ctx) {
$& SQLiteHelper DBHelper 0.2 b = getWritableDB();
}
SQLiteHelper extends
a name1 name2 weight
}
$) DBUtils instance 0.5
field-in
$* DBHelper db 0.4
gets
getWritableDB b $+ … … …
>2,000
} }
Learning Phase
Probabilistic model
! )
Open-source, Static
unobfuscated Training
analysis
applications
DeGuard: System Overview
class a extends SQLiteHelper { class DBHelper extends SQLiteHelper{
SQLiteDatabase b; SQLiteDatabase db;
public a(Context ctx) { Static MAP public DBHelper(Context ctx) {
Transform
}
b = getWritableDB(); analysis Inference }
db = getWritableDB();
} }
Probabilistic model
! )
Prediction Phase
name1 name2 weight
SQLiteHelper DBUtils 0.3
class a extends SQLiteHelper { SQLiteHelper DBHelper 0.2
SQLiteDatabase b;
public a(Context ctx) { Static
b = getWritableDB(); analysis SQLiteHelper a
} extends
} Obfuscated Code field-in
gets
getWritableDB b
} }
Learning Phase
Open-source, Static
unobfuscated Training
analysis
applications
DeGuard Implementation
DeGuard Implementation
Static Analysis
§ Static analysis framework
for Java and Android
?
Non-obfuscated APK =
Source Code
80
60
40 only 13%
known names
20
0
Fields Methods Classes Packages Total
Can DeGuard reverse ProGuard?
% of program elements Package names are i.e., identical to
80.6% correct directly used to the original
100
predict third-party Known namesnames
names
libraries Correctly predicted names
80
Mis-predicted names
60
40
20 1.6% known
names
0
Fields Methods Classes Packages Total
ProGuard
obfuscates library
package names
?
Source Code
ProGuard
Probabilistic Models
100
80
60
40
20
0