Security Assessment of Code Obfuscation Based on Dynamic Monitoring in Android Things

Abstract

Android-based Internet-of-Things devices with excellent compatibility and openness are constantly emerging. A typical example is Android Things that Google supports. Compatibility based on the same platform can provide more convenient personalization services centering on mobile devices, while this uniformity-based computing environment can expose many security vulnerabilities. For example, new mobile malware running on Android can instantly transition to all connected devices. In particular, the Android platform has a structural weakness that makes it easy to repackage applications. This can lead to malicious behavior. To protect mobile apps that are vulnerable to malicious activity, various code obfuscation techniques are applied to key logic. The most effective one of this kind involves safely concealing application programming interfaces (API). It is very important to ensure that obfuscation is applied to the appropriate API with an adequate degree of resistance to reverse engineering. Because there is no objective evaluation method, it depends on the developer judgment. Therefore, in this paper, we propose a scheme that can quantitatively evaluate the level of hiding of APIs, which represent the function of the Android application based on machine learning theory. To perform the quantitative evaluation, the API information is obtained by static analysis of a DEX file, and the API-called code executed in Dalvik in the Android platform is dynamically extracted. Moreover, the sensitive APIs are classified using the extracted API and Naive Bayes classification. The proposed scheme yields a high score according to the level of hiding of the classified API. We tested the proposed scheme on representative applications of the Google Play Store. We believe it can be used as a model for obfuscation assessment schemes, because it can evaluate the level of obfuscation in general without relying on specific obfuscation tools.