JoWUA

Abstract

Reverse engineering of Android applications is easy because the applications are written in the high level but simple bytecode language. Due to malicious reverse engineering attacks, many Android applications are tampered and repackaged into malicious applications. To protect Android applications from reverse engineering, many research studies have proposed and developed anti-reverse engineering techniques such as obfuscation, packing (packed executable), encryption, and anti-debugging. Obfuscation, packing and encryption are the defense techniques against static reverse engineering, which cannot prevent dynamic reverse engineering like memory dumping and runtime debugging. On the other hand, the existing defense techniques against dynamic reverse engineering have usually tried to protect applications by determining whether they are being executed on an emulationbased analysis environment and stopping their execution on the emulator. However, the protection techniques based on detecting the emulators become ineffective because attackers recently employ dynamic reverse engineering directly on real mobile devices. This paper presents a new protection scheme for Android applications against dynamic reverse engineering which can be applied on real mobile devices. Our scheme checks if a device on which the application is running is rooted and/or the application is being debugged. If so, our scheme stops the execution of the application. Our experiments demonstrate that the rooted/debugging environments detection techniques can be evaded by method hooking attacks and that the evasion attack, fortunately, can be detected by our scheme. One of the strength of our approach is that it is not implemented as a part of application’s source code but a separate executable. It can be applied to applications whose source code is not available.