UI Obfuscation and Its Effects on Automated UI Analysis for Android Apps

The UI driven nature of Android apps has motivated the development of automated UI analysis for various purposes, such as app analysis, malicious app detection, and app testing. Although existing automated UI analysis methods have demonstrated their capability in dissecting apps' UI, little is known about their effectiveness in the face of app protection techniques, which have been adopted by more and more apps. In this paper, we take a first step to systematically investigate UI obfuscation for Android apps and its effects on automated UI analysis. In particular, we point out the weaknesses in existing automated UI analysis methods and design 9 UI obfuscation approaches. We implement these approaches in a new tool named UIObfuscator after tackling several technical challenges. Moreover, we feed 3 kinds of tools that rely on automated UI analysis with the apps protected by UIObfuscator, and find that their performances severely drop. This work reveals limitations of automated UI analysis and sheds light on app protection techniques.

[1]  J. Pratt Remarks on Zeros and Ties in the Wilcoxon Signed Rank Procedures , 1959 .

[2]  Laurie J. Hendren,et al.  Optimizing Java Bytecode Using the Soot Framework: Is It Feasible? , 2000, CC.

[3]  Porfirio Tramontana,et al.  Using GUI ripping for automated testing of Android applications , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[4]  Mayur Naik,et al.  Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[5]  Iulian Neamtiu,et al.  Targeted and depth-first exploration for systematic testing of android apps , 2013, OOPSLA.

[6]  Lei Zhang,et al.  Towards a scalable resource-driven approach for detecting repackaged Android applications , 2014, ACSAC.

[7]  Suman Nath,et al.  Brahmastra: Driving Apps to Test the Security of Third-Party Components , 2014, USENIX Security Symposium.

[8]  Sencun Zhu,et al.  ViewDroid: towards obfuscation-resilient mobile application repackaging detection , 2014, WiSec '14.

[9]  Atanas Rountev,et al.  Static Reference Analysis for GUI Objects in Android Software , 2014, CGO '14.

[10]  Giorgio Giacinto,et al.  Stealth attacks: An extended insight into the obfuscation effects on Android malware , 2015, Comput. Secur..

[11]  Lipo Wang,et al.  Detecting Clones in Android Applications through Analyzing User Interfaces , 2015, 2015 IEEE 23rd International Conference on Program Comprehension.

[12]  Xiapu Luo,et al.  DexHunter: Toward Extracting Hidden Code from Packed Android Applications , 2015, ESORICS.

[13]  Yan Wang,et al.  Static Control-Flow Analysis of User-Driven Callbacks in Android Applications , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[14]  Yulong Zhang,et al.  Towards Discovering and Understanding Task Hijacking in Android , 2015, USENIX Security Symposium.

[15]  John C. S. Lui,et al.  DroidEagle: seamless detection of visually similar Android apps , 2015, WISEC.

[16]  Peng Wang,et al.  Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale , 2015, USENIX Security Symposium.

[17]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[18]  Tuan Anh Nguyen,et al.  Reverse Engineering Mobile Application User Interfaces with REMAUI (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[19]  Vijay Laxmi,et al.  Android Code Protection via Obfuscation Techniques: Past, Present and Future Directions , 2016, ArXiv.

[20]  Yue Jia,et al.  Sapienz: multi-objective automated testing for Android applications , 2016, ISSTA.

[21]  Ranjitha Kumar,et al.  ERICA: Interaction Mining Mobile Apps , 2016, UIST.

[22]  Srdjan Capkun,et al.  Mobile Application Impersonation Detection Using Dynamic User Interface Extraction , 2016, ESORICS.

[23]  Jacques Klein,et al.  DroidRA: taming reflection to support whole-program analysis of Android apps , 2016, ISSTA.

[24]  XianPing Tao,et al.  RepDroid: An Automated Tool for Android Application Repackaging Detection , 2017, 2017 IEEE/ACM 25th International Conference on Program Comprehension (ICPC).

[25]  Jeffrey Nichols,et al.  Rico: A Mobile App Dataset for Building Data-Driven Design Applications , 2017, UIST.

[26]  Yuanchun Li,et al.  DroidBot: A Lightweight UI-Guided Test Input Generator for Android , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C).

[27]  Sencun Zhu,et al.  WindowGuard: Systematic Protection of GUI Security in Android , 2017, NDSS.

[28]  Lei Xue,et al.  Adaptive Unpacking of Android Apps , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[29]  Yang Liu,et al.  Guided, stochastic model-based GUI testing of Android apps , 2017, ESEC/SIGSOFT FSE.

[30]  Tao Xie,et al.  An Empirical Study of Android Test Generation Tools in Industrial Cases , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[31]  Le Yu,et al.  Localizing Function Errors in Mobile Apps with User Reviews , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[32]  Li Wang,et al.  Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Obfuscation , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[33]  Sam Malek,et al.  A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-Malware Products , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[34]  Yan Wang,et al.  Static window transition graphs for Android , 2018, Automated Software Engineering.

[35]  Yang Liu,et al.  From UI Design Image to GUI Skeleton: A Neural Machine Translator to Bootstrap Mobile GUI Implementation , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[36]  Mu Zhang,et al.  Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation , 2018, NDSS.

[37]  Lingling Fan,et al.  StoryDroid: Automated Generation of Storyboard for Android Apps , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[38]  Xuanzhe Liu,et al.  Paladin: Automated Generation of Reproducible Test Cases for Android Apps , 2019, HotMobile.

[39]  Chunrong Fang,et al.  LIRAT: Layout and Image Recognition Driving Automated Mobile Testing of Cross-Platform , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[40]  Denys Poshyvanyk,et al.  Guigle: A GUI Search Engine for Android Apps , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion).

[41]  Taesoo Kim,et al.  Fuzzification: Anti-Fuzzing Techniques , 2019, USENIX Security Symposium.

[42]  Liming Zhu,et al.  Unblind Your Apps: Predicting Natural-Language Labels for Mobile GUI Components by Deep Learning , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[43]  Yinxing Xue,et al.  An Empirical Assessment of Security Risks of Global Android Banking Apps , 2018, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[44]  Haoyu Wang,et al.  All your app links are belong to us: understanding the threats of instant apps based attacks , 2020, ESEC/SIGSOFT FSE.

[45]  Zhenchang Xing,et al.  Seenomaly: Vision-Based Linting of GUI Animation Effects Against Design-Don't Guidelines , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[46]  Xiapu Luo,et al.  PackerGrind: An Adaptive Unpacking System for Android Apps , 2020, IEEE Transactions on Software Engineering.