RU2851570C1 - Method and system for protection of mobile applications program code from reverse engineering - Google Patents

Abstract

FIELD: physics.

SUBSTANCE: invention relates to computer engineering. Method of protecting mobile applications program code from reverse engineering is carried out using a processor and comprises steps of: obtaining an application source code; automated code analysis is performed, during which at least one code area responsible for: authentication, authorization and control of application sessions, or data input into application, or interaction with file system and OS, or interaction with internal resources, or storage of secrets, access to key storage; determining degree of criticality of detected code areas; method for obfuscation of code regions is determined depending on the degree of criticality thereof, wherein the obfuscation methods are selected from: data obfuscation, structure obfuscation, control flow obfuscation or a combination thereof; at least two obfuscation methods are applied to the detected code areas, including data obfuscation and structure obfuscation; obfuscation of detected code areas is performed; and generating obfuscated application source code.

EFFECT: high efficiency of protecting code from reverse engineering.

15 cl, 2 dwg, 3 tbl

Description

AREA OF TECHNOLOGY

[0001] This technical solution relates to the field of computer technology, namely to a method and system for protecting the program code of mobile applications from reverse engineering.

LEVEL OF TECHNOLOGY

[0002] Mobile applications (hereinafter referred to as MA) on the Android platform are subject to reverse engineering (hereinafter referred to as RE) by both attackers and MA developers from competing companies. RE refers to a broad range of application manipulations that involve analyzing and studying a mobile application to gain unauthorized access to information about its internal structure and functionality, as well as disclosing sections of code for more detailed study, reconstruction, or modification. The ultimate goal of this research may be to gain a competitive advantage, optimize and improve third-party MA, bypass the security mechanisms of the application being analyzed, and gain access to stored and processed data within the MA, or create malware.

[0003] Traditional and widely used methods for protecting mobile applications include code obfuscation, data encryption, data channel protection, integrity monitoring during application launch, and other organizational and technical measures. However, most of these approaches are well-studied, and as a result of various studies, a large number of automated RI tools have been developed and are now publicly available to speed up the overall analysis process. Therefore, widely used protection methods cannot provide the necessary and sufficient level of mobile application security in the current environment.

[0004] In addition to the aforementioned security issues with mobile apps themselves, there are vulnerabilities within the Android OS platform. Every month, Google publishes a security bulletin (available at: https://source.android.corn/docs/security/bulletin?hl=en), which typically lists numerous relevant CVEs discovered over the previous month, broken down by period. In other words, the security of the mobile app, including the data it processes, will depend significantly on the security of the underlying operating system. Otherwise, a high-level vulnerability at the OS level could allow root access to be obtained, compromising the entire app for further, more detailed analysis. The security of the operating system will be the first barrier to attack.

[0005] Mobile applications for the Android OS are Java applications translated into Java bytecode, which is executed by the Java Virtual Machine (hereinafter referred to as JVM). Java bytecode itself is transparent enough to be studied and easily recovered, even down to the source code. Developers strive to hide the code as cleverly as possible, using various techniques: obfuscation, compilation to native code, encryption. However, even after obfuscation and obfuscation, Java applications have low protection against malicious code, since most implemented protection methods can be overcome by an experienced reverse engineer, and the JVM remains under the complete control of a user with superuser (root) rights—this is what attackers do, installing analysis applications on already compromised phone devices with root-level access. Currently, the most effective protection of Java applications comes down to the following paradigms, which can be combined with each other:

- Embedding backend logic (e.g. validation of licenses or specific tokens on a remote server);

- Implementation of complex cryptographic algorithms, which will significantly increase the cost and time spent on RI;

- Transition from protecting algorithms to protecting critical data, such as logins/passwords/keys/tokens for API calls, data stored and processed in the application, and other user/technical data with high significance.

[0006] Android-based mobile applications in general, and banking applications in particular, that lack similar security features, are highly unlikely to adequately counteract malicious attacks and dynamic security analysis. As mentioned above regarding the regular vulnerabilities of the Android OS platform, the effectiveness of built-in security features (antivirus software, emulator and root device identification, etc.) can easily be offset by a new high- or critical-level vulnerability.

[0007] A solution is known in terms of encryption of software when it is transferred to the execution environment (US 7841009 B16 11/23/2010), in which a comparison of data is performed for the secure delivery and installation of applications in the destination software environment.

[0008] This approach does not exclude the possibility of software leakage and its subsequent reverse engineering to create malware, which reduces the effectiveness of the protection of original software applications.

ESSENCE OF THE INVENTION

[0009] The present invention makes it possible to solve a technical problem in terms of effective protection of application code from reverse engineering.

[0010] The technical result is to increase the efficiency of code protection against reverse engineering.

[0011] The claimed technical result is achieved through a method for protecting the program code of mobile applications from reverse engineering, performed using a processor and containing the following stages:

receive the source code of the application;

perform automated code analysis, during which they identify at least one area of code responsible for: authentication, authorization, and session management of the application; entering data into the application; interaction with the file system and OS; interaction with internal resources; storing secrets, accessing the key store;

the degree of criticality of the identified areas of code is determined;

the method of obfuscation of code areas is determined depending on the degree of their criticality, and the obfuscation methods are selected from the group: data obfuscation, structure obfuscation, control flow obfuscation or their combinations;

perform obfuscation of the identified areas of code; and

generate obfuscated source code of the application.

[0012] In one particular embodiment of the method, the data entry area in the application is responsible for interaction with the backend, registering a new account, or recovering a password.

[0013] In another particular embodiment of the method, data obfuscation includes a set of transformations that ensure the concealment of the values and structure of the application data.

[0014] In another particular embodiment of the method, the set of transformations includes at least one of:

data aggregation that performs structure modification;

data storage and encoding, performing changes in the values of variables;

Data reordering, which changes the order in which data is stored and uses dynamic calculations to determine the desired array element.

[0015] In another particular embodiment of the method, obfuscation of the structure includes a set of techniques for changing the structure of the application by modifying variable names, changing the formatting of the code, and removing comments and debugging information.

[0016] In another particular embodiment of the method, the obfuscation of the control flow comprises a set of transformations that ensure the concealment of branching and the sequence of operations in the source code.

[0017] In another particular embodiment of the method, when obfuscating a flow, a transformation is performed in the part of the control flow calculation, in which the sequence of code execution is hidden and dummy code is added.

[0018] In another particular embodiment of the method, the dummy code contains blocks with non-executable code and implicit predicates.

[0019] In another particular embodiment of the method, the predicate contains a complex condition that is resolved to true-false upon the requirement of passing the block.

[0020] In another particular embodiment of the method, when obfuscating the control flow, a change in the order of the control flow is performed, which changes the order of execution of operations.

[0021] In another particular embodiment of the method, when obfuscating the control flow, a transformation is performed that changes the execution structure of methods by combining them into a common method using a selector, or cloning methods.

[0022] In another particular embodiment of the method, when obfuscating the control flow, the control flow is ordered, which involves changing the order of independent expressions and directions of traversal in cycles.

[0023] In another particular embodiment of the method, when obfuscating the control flow, flattening of the control flow is performed using a dispatcher and block numbering.

[0024] In another particular embodiment of the method, when flattening the control flow, the linear sections of the code are assigned a unique number for their subsequent selection for execution by the dispatcher.

[0025] The claimed invention is also implemented using a system for protecting software code of mobile applications from reverse engineering, containing at least one processor and at least one memory containing machine-readable instructions that, when executed by at least one processor, implement the above-mentioned method.

BRIEF DESCRIPTION OF DRAWINGS

[0026] Fig. 1 illustrates a block diagram of the claimed method.

[0027] Fig. 2 illustrates a general view of the computing device.

IMPLEMENTATION OF THE INVENTION

[0028] Fig. 1 shows a block diagram of the claimed method (100) for protecting against reverse engineering of applications. In the first step (101), the source code of the application is obtained, which is then analyzed for the presence of areas in the code in step (102) for processing them.

[0029] Classification and division of code into regions at step (102) can be performed using static application security testing (SAST) tools. SAST (Static Application Security Testing) tools are based on the analysis of application/program code or parts thereof without actually running it in an executable environment. This technology is also commonly referred to as white-box testing, and unlike dynamic testing, SAST verifies the executable code in its entirety. Modern SAST tools support various programming languages, allowing scanning to be performed with due regard for their specific features, as accurately and efficiently as possible.

SAST is easily integrated into a development pipeline or IDE (integrated development environment), making it fully automated and independent of operator expertise and experience. Source code analysis also includes feedback from the scanner on the precise location of the target block, class, method, or function within the code. Depending on the application tasks and the emphasis of SAST solutions, target events (fragments) can include vulnerabilities, confidential, or critical information. One of the key factors determining the effectiveness of target event detection is a regularly updated rule base with flexible customization and expansion capabilities.

[0031] Next, the SAST solution is used to classify the identified source code regions. An example of region classification is shown in Table 1.

[0031] The following are examples of source code text for each of the areas.

[0032] Authentication, authorization and session management

[0037] Next, at step (103), the criticality of each area of the code is analyzed, with each area assigned its own criticality value. An example of the classification of areas is given in Table No. 2.

[0038] Next, at step (104), obfuscation methods are determined for the identified code areas, taking into account their degree of criticality. Differentiated obfuscation using the techniques described above is applied to different areas of the source code. This approach maximizes the protection of the most valuable (critical) areas of the source code, while preventing and avoiding excessive obfuscation.

[0040] Based on the results of this stage, the obfuscation parameters (techniques) are determined, the implementation of which is also carried out further in an automated mode.

[0041] Let's consider the methods of code obfuscation used.

[0042] Data obfuscation is a set of transformations that ensure the concealment of the values and structure of data used by an application. Implementation involves several categories:

- Data aggregation – changes related to the merging/unmerging of structures (constants, classes, arrays). Constants can be combined into aggregated arrays or other complex types, while obfuscated arrays are in turn split into several parts or merged with other arrays.

Data storage and encoding is a set of transformations that include changes to variable values. Constant values are replaced with dynamically calculated ones. String constants are encrypted, and encryption and decryption functions are added. Integer constants are broken down into terms.

- Data reordering - changing the order in which data is stored and using dynamic calculations to determine the desired array element [0043] Structure obfuscation - a set of techniques for changing the structure of a program by modifying variable names, changing the formatting of code, and removing comments and debugging information.

[0044] Control flow obfuscation is a technique used to hide branches and sequences of operations in source code. This set of methods includes the following:

Control flow computation is a category of transformations that hides the code execution sequence and adds "junk" code (which does not affect program execution). The original code is interspersed with blocks of unreachable code using implicit predicates that, depending on conditions, can execute or skip the next block. The predicate contains a complex condition that evaluates to true or false upon traversal of the block;

- Changing the order of control flow - obfuscations that change the order of operations, for example, bypassing cycles from the last element;

- Control flow aggregation - transformations that change the execution structure of methods by combining them into a common method using a selector, or cloning methods to complicate analysis;

- Control flow ordering - changing the order of independent expressions and directions of traversal in cycles;

- Control flow flattening is a control flow management technique using a dispatcher and block numbering. Instead of sequentially executing basic blocks (linear sections of code), each block is assigned a specific number. The dispatcher determines block selection based on its number. The number for the next block is calculated as the current block executes.

[0045] Preventive obfuscation is a set of techniques that counteract automated analysis tools—debuggers, decompilers, etc.—by exploiting the limitations of such tools. This method includes the following approaches:

- Anti-debugging - execution of special code to detect the presence of a connected debugger. If detected, the program terminates.

- Anti-decompilation - the introduction of complex structures that can be recursive and consume the computing resources of the decompiler, or use implicit sequences or functions that lead to decompilation errors - Reflection - a dynamic code loading technique that allows hidden functions to be run.

[0046] The invention is not limited to this set of obfuscation techniques and serves as an example and description of the logic of operation of a particular case of counteracting reverse engineering of a banking mobile application.

[0047] The obfuscation methods listed in Table 3 are applied either individually or in combination at step (105), depending on the criticality of a particular code area. Obfuscation techniques are automatically applied by the aforementioned SAST solution, which is configured to apply obfuscation techniques upon detection of relevant areas of the source code.

[0048] The result of the method (100) is obfuscated source code protected from reverse engineering. This approach significantly increases the complexity and labor intensity of reverse engineering, as it precludes the use of existing automated reverse engineering tools and requires specialized knowledge and skills from a reverse engineering specialist. However, the applied application protection does not significantly impact the mobile application's performance or user experience.

[0049] The above approach can be used both in the banking sector and outside of it, since protecting mobile applications from reverse engineering is relevant for owners and developers of all applications seeking to protect the confidential information of a mobile application from intruders and developers of third-party applications.

[0050] Fig. 2 shows a general view of a computing system implemented on the basis of a computing device (200) and ensuring the implementation of the claimed method (100). In the general case, the computing device (200) comprises one or more processors (201) connected by a common information exchange bus, memory means such as RAM (202) and ROM (203), input/output interfaces (204), input/output devices (205) and a device for network interaction (206).

[0051] The processor (201) (or several processors, a multi-core processor) can be selected from a range of devices that are widely used at the present time, for example, from Intel™, AMD™, Apple™, Samsung Exynos™, MediaTEK™, Qualcomm Snapdragon™, etc. The processor must also include a graphic processor, for example, an NVIDIA or ATI GPU, which is also suitable for the full or partial implementation of the method (100). In this case, the memory means can be the available memory capacity of the graphic card or graphic processor.

[0052] RAM (202) is a random access memory and is intended for storing machine-readable instructions executable by the processor (201) for performing the necessary operations for logical data processing. RAM (202), as a rule, contains executable instructions of the operating system and the corresponding software components (applications, software modules, etc.).

[0053] ROM (203) represents one or more permanent data storage devices, such as a hard disk drive (HDD), a solid state drive (SSD), flash memory (EEPROM, NAND, etc.), optical storage media (CD-R/RW, DVD-R/RW, BlueRay Disc, MD), etc.

[0054] To organize the operation of the components of the device (200) and to organize the operation of external connected devices, various types of I/O interfaces (204) are used. The selection of the corresponding interfaces depends on the specific design of the computing device, which may be, without limitation: PCI, AGP, PS/2, IrDa, FireWire, LPT, COM, SATA, IDE, Lightning, USB (2.0, 3.0, 3.1, micro, mini, type C), TRS/Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port, RJ45, RS232, etc.

[0055] To ensure user interaction with the computing device (200), various I/O information means (205) are used, for example, a keyboard, a display (monitor), a touch display, a touchpad, a joystick, a mouse, a light pen, a stylus, a touch panel, a trackball, speakers, a microphone, augmented reality means, optical sensors, a tablet, light indicators, a projector, a camera, biometric identification means (a retinal scanner, a fingerprint scanner, a voice recognition module), etc.

[0056] The network interaction means (206) ensures the transmission of data by the device (200) via an internal or external computer network, for example, the Intranet, the Internet, a LAN, etc. One or more means (206) may be, but are not limited to: an Ethernet card, a GSM modem, a GPRS modem, an LTE modem, a 5G modem, a satellite communication module, an NFC module, a Bluetooth and/or BLE module, a Wi-Fi module, etc.

[0057] Additionally, satellite navigation tools may also be used as part of the device (200), for example, GPS, GLONASS, BeiDou, Galileo.

[0058] The submitted application materials disclose preferred examples of the implementation of the technical solution and should not be interpreted as limiting other, particular examples of its implementation that do not go beyond the scope of the requested legal protection, which are obvious to specialists in the relevant field of technology.

Claims (25)

1. A method for protecting the software code of mobile applications from reverse engineering, performed using a processor and comprising the following steps: receive the source code of the application; perform an automated code analysis, during which they identify at least one area of the code responsible for: authentication, authorization and session management of the application, or input of data into the application, or interaction with the file system and OS, or interaction with internal resources, or storage of secrets, access to the key store; the degree of criticality of the identified areas of code is determined; the method of obfuscation of code areas is determined depending on the degree of their criticality, and the obfuscation methods are selected from the group: data obfuscation, structure obfuscation, control flow obfuscation or their combinations; apply at least two obfuscation methods to the identified areas of code, including data obfuscation and structure obfuscation; perform obfuscation of the identified areas of code; and generate obfuscated source code of the application. 2. The method according to paragraph 1, in which the data entry area in the application is responsible for interaction with the backend, registration of a new account or password recovery. 3. The method according to claim 1, wherein the data obfuscation includes a set of transformations that ensure the concealment of the values and structure of the application data. 4. The method according to claim 3, wherein the set of transformations includes at least one of: data aggregation that performs structure modification; storage and encoding of data that perform changes in the values of variables; Data reordering, which changes the order in which data is stored and uses dynamic calculations to determine the desired array element. 5. The method of claim 1, wherein the obfuscation of the structure includes a set of techniques for changing the structure of the application by modifying variable names, changing the formatting of the code, and removing comments and debugging information. 6. The method according to claim 1, wherein the control flow obfuscation comprises a set of transformations that ensure the concealment of branching and the sequence of operations in the source code. 7. The method according to claim 6, wherein, during obfuscation of the flow, a transformation is performed in the part of the control flow calculation, in which the sequence of code execution is hidden and dummy code is added. 8. The method according to claim 7, wherein the dummy code contains blocks with non-executable code and implicit predicates. 9. The method according to claim 8, wherein the predicate contains a complex condition that is resolved to true-false upon the requirement of passing the block. 10. The method according to claim 6, wherein, when obfuscating the control flow, a change in the order of the control flow is performed, which changes the order of execution of operations. 11. The method according to claim 6, wherein during obfuscation of the control flow, a transformation is performed that changes the execution structure of methods by combining them into a common method using a selector, or by cloning methods. 12. The method according to claim 6, wherein, during obfuscation of the control flow, the control flow is ordered, which involves changing the order of independent expressions and directions of traversal in cycles. 13. The method according to claim 6, wherein, when obfuscating the control flow, flattening of the control flow is performed using a dispatcher and block numbering. 14. The method according to claim 13, wherein when flattening the control flow, the linear sections of the code are assigned a unique number for their subsequent selection for execution by the dispatcher. 15. A system for protecting software code of mobile applications from reverse engineering, comprising at least one processor and at least one memory containing machine-readable instructions that, when executed by at least one processor, implement the method according to any one of paragraphs 1-14.