Active Warden Attack: On the (In)Effectiveness of Android App Repackage-Proofing

Haoyu MA; Shijia LI; Debin GAO; Daoyuan WU; Qiaowen JIA; Chunfu JIA

doi:10.1109/TDSC.2021.3100877

Active Warden Attack: On the (In)Effectiveness of Android App Repackage-Proofing

Haoyu MA
, Shijia LI
, Debin GAO
, Daoyuan WU
, Qiaowen JIA
, Chunfu JIA^*

^*Corresponding author for this work

Research output: Journal Publications › Journal Article (refereed) › peer-review

8 Citations (Scopus)

Abstract

App repackaging has raised serious concerns to the Android ecosystem with the repackage-proofing technology attracting attention in the Android research community. In this article, we first show that existing repackage-proofing schemes rely on a flawed security assumption, and then propose a new class of active warden attack that intercepts and falsifies the metrics used by repackage-proofing for detecting the integrity violations during repackaging. We develop a proof-of-concept toolkit to demonstrate that all the existing repackage-proofing schemes can be bypassed by our attack toolkit. On the positive side, our analysis further identifies a new integrity metric in the Android ART runtime that can robustly and efficiently indicate bytecode tampering caused by either repackaging or active warden attacks. By associating this new metric with two supplemental verification mechanisms, we construct a multi-party verification framework that significantly raises the bar of repackage-proofing and identify conditions under which the proposed framework could detect app repackaging without getting compromised by active warden attacks.

Original language	English
Article number	9502562
Pages (from-to)	3508-3520
Number of pages	13
Journal	IEEE Transactions on Dependable and Secure Computing
Volume	19
Issue number	5
Early online date	30 Jul 2021
DOIs	https://doi.org/10.1109/TDSC.2021.3100877
Publication status	Published - 2 Sept 2022
Externally published	Yes

Bibliographical note

Acknowledgments:
The authors would like to thank the anonymous reviewers and the associate editor for providing valuable feedbacks that helped improving this paper.

Publisher Copyright:
© 2004-2012 IEEE.

Funding

This work was supported in part by the National Key R&D Program of China under Grant 2018YFA0704703, in part by the National Natural Science Foundation of China under Grants 61972215 and 61972073, in part by the Natural Science Foundation of Tianjin under Grant 20JCZDJC00640, and in part by the Singapore National Research Foundation, National Satellite of Excellence in Mobile Systems Security and Cloud Security, under Grant NRF2018NCR-NSOE004-0001.

Keywords

Android security
app repackage-proofing
active warden attack

Access to Document

10.1109/TDSC.2021.3100877

Cite this

@article{dd3e1c22cf81490d890f879787e77e36,

title = "Active Warden Attack: On the (In)Effectiveness of Android App Repackage-Proofing",

abstract = "App repackaging has raised serious concerns to the Android ecosystem with the repackage-proofing technology attracting attention in the Android research community. In this article, we first show that existing repackage-proofing schemes rely on a flawed security assumption, and then propose a new class of active warden attack that intercepts and falsifies the metrics used by repackage-proofing for detecting the integrity violations during repackaging. We develop a proof-of-concept toolkit to demonstrate that all the existing repackage-proofing schemes can be bypassed by our attack toolkit. On the positive side, our analysis further identifies a new integrity metric in the Android ART runtime that can robustly and efficiently indicate bytecode tampering caused by either repackaging or active warden attacks. By associating this new metric with two supplemental verification mechanisms, we construct a multi-party verification framework that significantly raises the bar of repackage-proofing and identify conditions under which the proposed framework could detect app repackaging without getting compromised by active warden attacks.",

keywords = "Android security, app repackage-proofing, active warden attack",

author = "Haoyu MA and Shijia LI and Debin GAO and Daoyuan WU and Qiaowen JIA and Chunfu JIA",

note = "Acknowledgments: The authors would like to thank the anonymous reviewers and the associate editor for providing valuable feedbacks that helped improving this paper. Publisher Copyright: {\textcopyright} 2004-2012 IEEE.",

year = "2022",

month = sep,

day = "2",

doi = "10.1109/TDSC.2021.3100877",

language = "English",

volume = "19",

pages = "3508--3520",

journal = "IEEE Transactions on Dependable and Secure Computing",

issn = "1545-5971",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "5",

}

TY - JOUR

T1 - Active Warden Attack: On the (In)Effectiveness of Android App Repackage-Proofing

AU - MA, Haoyu

AU - LI, Shijia

AU - GAO, Debin

AU - WU, Daoyuan

AU - JIA, Qiaowen

AU - JIA, Chunfu

N1 - Acknowledgments: The authors would like to thank the anonymous reviewers and the associate editor for providing valuable feedbacks that helped improving this paper. Publisher Copyright: © 2004-2012 IEEE.

PY - 2022/9/2

Y1 - 2022/9/2

N2 - App repackaging has raised serious concerns to the Android ecosystem with the repackage-proofing technology attracting attention in the Android research community. In this article, we first show that existing repackage-proofing schemes rely on a flawed security assumption, and then propose a new class of active warden attack that intercepts and falsifies the metrics used by repackage-proofing for detecting the integrity violations during repackaging. We develop a proof-of-concept toolkit to demonstrate that all the existing repackage-proofing schemes can be bypassed by our attack toolkit. On the positive side, our analysis further identifies a new integrity metric in the Android ART runtime that can robustly and efficiently indicate bytecode tampering caused by either repackaging or active warden attacks. By associating this new metric with two supplemental verification mechanisms, we construct a multi-party verification framework that significantly raises the bar of repackage-proofing and identify conditions under which the proposed framework could detect app repackaging without getting compromised by active warden attacks.

AB - App repackaging has raised serious concerns to the Android ecosystem with the repackage-proofing technology attracting attention in the Android research community. In this article, we first show that existing repackage-proofing schemes rely on a flawed security assumption, and then propose a new class of active warden attack that intercepts and falsifies the metrics used by repackage-proofing for detecting the integrity violations during repackaging. We develop a proof-of-concept toolkit to demonstrate that all the existing repackage-proofing schemes can be bypassed by our attack toolkit. On the positive side, our analysis further identifies a new integrity metric in the Android ART runtime that can robustly and efficiently indicate bytecode tampering caused by either repackaging or active warden attacks. By associating this new metric with two supplemental verification mechanisms, we construct a multi-party verification framework that significantly raises the bar of repackage-proofing and identify conditions under which the proposed framework could detect app repackaging without getting compromised by active warden attacks.

KW - Android security

KW - app repackage-proofing

KW - active warden attack

UR - https://www.scopus.com/pages/publications/85112636233

U2 - 10.1109/TDSC.2021.3100877

DO - 10.1109/TDSC.2021.3100877

M3 - Journal Article (refereed)

AN - SCOPUS:85112636233

SN - 1545-5971

VL - 19

SP - 3508

EP - 3520

JO - IEEE Transactions on Dependable and Secure Computing

JF - IEEE Transactions on Dependable and Secure Computing

IS - 5

M1 - 9502562

ER -

Active Warden Attack: On the (In)Effectiveness of Android App Repackage-Proofing

Abstract

Bibliographical note

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this