函数Native化的Android APP加固方法
|
摘要
调研动态恢复攻击的逻辑思路和Android APP中函数调用执行流程.通过对原DEX文件进行重构和加密,将其关键Java函数属性改为Native,并添加壳DEX文件; Android APP启动后首先执行壳DEX文件,然后对原DEX进行解密和动态加载,当调用被保护函数时,保持该函数在内存中的Native属性,通过Hook技术和反射机制隐式恢复并执行原Java函数.实验和对比分析结果表明,该方法能够在较低资源损耗和无需反编译源码的前提下获取高强度的保护效果,可以有效抵御静态分析攻击、DEX动态恢复和动态脱壳攻击.
The logic of dynamic recovery attack and the function call execution flow in Android APP was investigated. The original DEX file was reconstructed and encrypted; its key Java function attribute was changed to Native, and the shell DEX file was added. When the Android APP was started, the shell DEX file was executed first,and then the original DEX was decrypted and loaded dynamically. When the protected function was called, the Native property of the function in memory was maintained, and the original Java function was implicitly restored and executed by the Hook technique and the reflection mechanism. The experimental results show that the method obtains high level of protection without Source decompilation at lower resource losses, and can effectively resist static analysis attacks, DEX dynamic recovery and dynamic shelling attacks.
The logic of dynamic recovery attack and the function call execution flow in Android APP was investigated. The original DEX file was reconstructed and encrypted; its key Java function attribute was changed to Native, and the shell DEX file was added. When the Android APP was started, the shell DEX file was executed first,and then the original DEX was decrypted and loaded dynamically. When the protected function was called, the Native property of the function in memory was maintained, and the original Java function was implicitly restored and executed by the Hook technique and the reflection mechanism. The experimental results show that the method obtains high level of protection without Source decompilation at lower resource losses, and can effectively resist static analysis attacks, DEX dynamic recovery and dynamic shelling attacks.
引文
[1]RASTOGI S,BHUSHAN K,GUPTA B B.Android applications repackaging detection techniques for smartphone devices[J].Procedia Computer Science,2016,78:26-32.
[2]阿里聚安全.阿里聚安全2016年报[EB/OL].(2017-03-09)[2017-08-23].https://yq.aliyun.com/-articles/72037.
[3]COLLBERG C.A taxonomy of obfuscating transformations[D].New Zealand:University of Auckland,1997.
[4]LOW D.Java control flow obfuscation[D].Auckland:University of Auckland,1998.
[5]TSAI K.Android APP copy protection mechanism with semi-trusted loader[C]//17th International Conference on Advanced Communication Technology.Seoul:IEEE,2015:464-467.
[6]Android Open Source.Dalvik可执行文件格式[EB/OL].(2014-07-14)[2017-08-23].https://source.android.google.cn/devices/tech/dalvik/dexformat?hl=zhcn.
[7]SCHULZ P.Code protection in Android[R/OL].Technical Report 110,Rheinische FriedrichWilhelms-Universitgt Bonn,Germany,2012.http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf.
[8]王泽华.Android软件安全加固技术研究与实现[D].成都:电子科技大学,2016.WANG Ze-hua.Research and Implementation of the Android Software Security Reinforcement Technique[D].Chengdu:University of Electronic Science and Technology of China,2016.
[9]加固脱壳及抽代码还原方法[EB/OL].(2016-04-15)[2018-02-15].http://blog.csdn.net/justfwd/article/det-ails/51164281.
[10]梆梆安全.梆梆加固[EB/OL].(2017-01-15)[2018-02-10].http://www.bangcle.com/.
[11]MULLINER C.Android DDI:Introduction to Dynamic Dalvik Instrumentation[EB/OL].(2014-10-15)[2018-01-02].https://github.com/crmulliner/ddi.
[12]刘惠明.安卓应用自动原生化及混淆系统[J].微电子学与计算机,2016,33(10):50-62.LIU Hui-ming.Automatic Android APPs translation and obfuscation system[J].Microelectronics and Computers,2016,33(10):50-62.
[13]ZHOU W,WANG Z,ZHOU Y Z.et al.DIVILAR:diversifying intermediate language for antirepacking on Android platform[C]//Proceedings of the 4th ACM conference on Data and Application Security and Privacy,2014:199-210.
[14]丰生强.Android软件安全与逆向方法[M].北京:人民邮电出版社,2014:152-156.
[15]Sourceforge.dex2jar introduction[EB/OL].(2016-10-11)[2017-12-20].http://sourceforge.net/projects/dex2jar/
[16]Emmanuel Dupuy.Java Decompiler[EB/OL].(2014-03-01)[2017-12-25].http://jd.benow.ca/.
[2]阿里聚安全.阿里聚安全2016年报[EB/OL].(2017-03-09)[2017-08-23].https://yq.aliyun.com/-articles/72037.
[3]COLLBERG C.A taxonomy of obfuscating transformations[D].New Zealand:University of Auckland,1997.
[4]LOW D.Java control flow obfuscation[D].Auckland:University of Auckland,1998.
[5]TSAI K.Android APP copy protection mechanism with semi-trusted loader[C]//17th International Conference on Advanced Communication Technology.Seoul:IEEE,2015:464-467.
[6]Android Open Source.Dalvik可执行文件格式[EB/OL].(2014-07-14)[2017-08-23].https://source.android.google.cn/devices/tech/dalvik/dexformat?hl=zhcn.
[7]SCHULZ P.Code protection in Android[R/OL].Technical Report 110,Rheinische FriedrichWilhelms-Universitgt Bonn,Germany,2012.http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf.
[8]王泽华.Android软件安全加固技术研究与实现[D].成都:电子科技大学,2016.WANG Ze-hua.Research and Implementation of the Android Software Security Reinforcement Technique[D].Chengdu:University of Electronic Science and Technology of China,2016.
[9]加固脱壳及抽代码还原方法[EB/OL].(2016-04-15)[2018-02-15].http://blog.csdn.net/justfwd/article/det-ails/51164281.
[10]梆梆安全.梆梆加固[EB/OL].(2017-01-15)[2018-02-10].http://www.bangcle.com/.
[11]MULLINER C.Android DDI:Introduction to Dynamic Dalvik Instrumentation[EB/OL].(2014-10-15)[2018-01-02].https://github.com/crmulliner/ddi.
[12]刘惠明.安卓应用自动原生化及混淆系统[J].微电子学与计算机,2016,33(10):50-62.LIU Hui-ming.Automatic Android APPs translation and obfuscation system[J].Microelectronics and Computers,2016,33(10):50-62.
[13]ZHOU W,WANG Z,ZHOU Y Z.et al.DIVILAR:diversifying intermediate language for antirepacking on Android platform[C]//Proceedings of the 4th ACM conference on Data and Application Security and Privacy,2014:199-210.
[14]丰生强.Android软件安全与逆向方法[M].北京:人民邮电出版社,2014:152-156.
[15]Sourceforge.dex2jar introduction[EB/OL].(2016-10-11)[2017-12-20].http://sourceforge.net/projects/dex2jar/
[16]Emmanuel Dupuy.Java Decompiler[EB/OL].(2014-03-01)[2017-12-25].http://jd.benow.ca/.