Protecting Million-User iOS Apps with Obfuscation: Motivations, Pitfalls, and Experience

被引:3
|
作者
Wang, Pei [1 ,2 ]
Wu, Dinghao [1 ]
Chen, Zhaofeng [2 ]
Wei, Tao [2 ]
机构
[1] Penn State Univ, University Pk, PA 16802 USA
[2] Baidu X Lab, Beijing, Peoples R China
基金
美国国家科学基金会;
关键词
obfuscation; software protection; reverse engineering; mobile; iOS;
D O I
10.1145/3183519.3183524
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now fairly common that a mobile app serves a large number of users across the globe. Different from web based services whose important program logic is mostly placed on remote servers, many mobile apps require complicated client-side code to perform tasks that are critical to the businesses. The code of mobile apps can be easily accessed by any party after the software is installed on a rooted or jailbroken device. By examining the code, skilled reverse engineers can learn various knowledge about the design and implementation of an app. Real-world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app-provided services for unrightful profits, leading to significant financial losses for app vendors. One of the most viable mitigations against malicious reverse engineering is to obfuscate the software before release. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. Our report can benefit many stakeholders in the iOS ecosystem, including developers, security service providers, and Apple as the administrator of the ecosystem.
引用
收藏
页码:235 / 244
页数:10
相关论文
共 1 条
  • [1] Field experience with obfuscating million-user iOS apps in large enterprise mobile development
    Wang, Pei
    Wu, Dinghao
    Chen, Zhaofeng
    Wei, Tao
    [J]. SOFTWARE-PRACTICE & EXPERIENCE, 2019, 49 (02): : 252 - 273