Android bytecode is easy to reverse engineer. It has been a common practice for Android application developers to protect their applications with obfuscation techniques. Control flow obfuscation aims to make it more difficult to determine the actual application control flows and thereby impede the understanding of the application logic by the attacker. Despite of the strong potency (i.e., high complexity increment), control flow obfuscation usually incurs a large overhead due to the call and return instructions inserted, which makes the application developer reluctant to use it in practice. In this paper, we present a pragmatic control-flow obfuscation approach where the application developer has more freedom to customize the trade-off between the achieved complexity and overhead. A new subset of application methods will be obfuscated by using a combination of packed-switch and try-catch constructs in different rounds, and larger methods are obfuscated by creating more code fragments in earlier rounds. After each round, the complexity increment will be automatically calculated using our implemented cyclomatic complexity based metric and checked against the target complexity increment. In other words, the obfuscation is conducted in a progressive manner until the target complexity increment is reached. The experimental results show that our method incurs averaged area overhead of 4.07% while achieving almost double complexity increment than the existing method when the same number of application methods are obfuscated.
[1]
Yuan Xiang Gu,et al.
An Approach to the Obfuscation of Control-Flow of Sequential Computer Programs
,
2001,
ISC.
[2]
John C. S. Lui,et al.
ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems
,
2012,
DIMVA.
[3]
Xuxian Jiang,et al.
Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks
,
2014,
IEEE Transactions on Information Forensics and Security.
[4]
Christian S. Collberg,et al.
A Taxonomy of Obfuscating Transformations
,
1997
.
[5]
Laurie Hendren,et al.
Soot: a Java bytecode optimization framework
,
2010,
CASCON.
[6]
Dolores R. Wallace,et al.
Structured Testing: A Testing Methodology Using the Cyclomatic Complexity Metric
,
1996
.
[7]
Priyanka M. Kale,et al.
Protecting Java Code Via Code Obfuscation
,
2012
.
[8]
Douglas Low,et al.
Java Control Flow Obfuscation
,
1998
.
[9]
Clark Thomborson,et al.
Manufacturing cheap, resilient, and stealthy opaque constructs
,
1998,
POPL '98.
[10]
Vrizlynn L. L. Thing,et al.
Control flow obfuscation for Android applications
,
2016,
Comput. Secur..
[11]
Jack W. Davidson,et al.
Software Tamper Resistance: Obstructing Static Analysis of Programs
,
2000
.
[12]
Laurie J. Hendren,et al.
Obfuscating Java: The Most Pain for the Least Gain
,
2007,
CC.
[13]
Gregory R. Andrews,et al.
Binary Obfuscation Using Signals
,
2007,
USENIX Security Symposium.