research-article

UI obfuscation and its effects on automated UI analysis for Android apps

Authors:

Wei ZhangAuthors Info & Claims

ASE '20: Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering

Pages 199 - 210

https://doi.org/10.1145/3324884.3416642

Published: 27 January 2021 Publication History

Abstract

The UI driven nature of Android apps has motivated the development of automated UI analysis for various purposes, such as app analysis, malicious app detection, and app testing. Although existing automated UI analysis methods have demonstrated their capability in dissecting apps' UI, little is known about their effectiveness in the face of app protection techniques, which have been adopted by more and more apps. In this paper, we take a first step to systematically investigate UI obfuscation for Android apps and its effects on automated UI analysis. In particular, we point out the weaknesses in existing automated UI analysis methods and design 9 UI obfuscation approaches. We implement these approaches in a new tool named UIObfuscator after tackling several technical challenges. Moreover, we feed 3 kinds of tools that rely on automated UI analysis with the apps protected by UIObfuscator, and find that their performances severely drop. This work reveals limitations of automated UI analysis and sheds light on app protection techniques.

References

[1]

2020. AAPT. https://developer.android.com//studio/command-line/aapt2.

[2]

2020. ADB. https://developer.android.com/studio/command-line/adb.

[3]

2020. Amigo. https://github.com/eleme/Amigo.

[4]

2020. AndFix. https://github.com/alibaba/AndFix.

[5]

2020. androguard. https://github.com/androguard/androguard

[6]

2020. Apktool. https://ibotpeaches.github.io/Apktool/.

[7]

2020. CastScreen. https://github.com/JonesChi/CastScreen.

[8]

2020. F-Droid https://f-droid.org.

[9]

2020. InputMethodManager. http://androidxref.eom/8.0.0_r4/xref/frameworks/base/core/java/android/view/inputmethod/InputMethodManager.java.

[10]

2020. Instance Method. https://docs.oracle.com/javase/specs/jls/se7/html/jls-8.html.

[11]

2020. Monkey, https://developer.android.com/studio/test/monkey.

[12]

2020. Nuwa. https://github.com/jasonross/Nuwa.

[13]

2020. Overview - App resources. https://developer.android.com/guide/topics/resources/providing-resources.

[14]

2020. ProGuard. https://www.guardsquare.com/en/products/proguard.

[15]

2020. scrcpy. https://github.com/Genymobile/scrcpy.

[16]

2020. ScreenCapture. https://github.com/googlesamples/android-ScreenCapture.

[17]

2020. Tinker. https://github.com/Tencent/tinker.

[18]

2020. UIAutomator. https://developer.android.com/training/testing/ui-automator.html.

[19]

2020. zipalign. https://developer.android.com/studio/command-line/zipalign.

[20]

Domenico Amalfitano, Anna Rita Fasolino, Porfirio Tramontana, Salvatore De Carmine, and Atif M. Memon. 2012. Using GUI Ripping for Automated Testing of Android Applications. In Proc. ASE.

[21]

Tanzirul Azim and Iulian Neamtiu. 2013. Targeted and Depth-first Exploration for Systematic Testing of Android Apps. In Proc OOPSLA.

Digital Library

[22]

Carlos Bernal-Cárdenas, Kevin Moran, Michele Tufano, Zichang Liu, Linyong Nan, Zhehan Shi, and Denys Poshyvanyk. 2019. Guigle: A GUI Search Engine for Android Apps. In Proc. ICSE.

Digital Library

[23]

Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall. 2014. Brahmastra: Driving Apps to Test the Security of Third-Party Components. In Proc. USENIX Security.

[24]

Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. 2015. What the app is that? deception and countermeasures in the android user interface. In Proc. S&P.

Digital Library

[25]

Chunyang Chen, Ting Su, Guozhu Meng, Zhenchang Xing, and Yang Liu. 2018. From UI design image to GUI skeleton: a neural machine translator to bootstrap mobile GUI implementation. In Proc. ICSE.

Digital Library

[26]

Jieshan Chen, Chunyang Chen, Zhenchang Xing, Xiwei Xu, Liming Zhu, Guoqiang Li, and Jinshui Wang. 2020. Unblind Your Apps: Predicting Natural-Language Labels for Mobile GUI Components by Deep Learning. In Proc. ICSE.

Digital Library

[27]

Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang, Heqing Huang, Wei Zou, and Peng Liu. 2015. Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale. In Proc. USENIX Security.

[28]

Sen Chen, Lingling Fan, Chunyang Chen, Ting Su, Wenhe Li, Yang Liu, and Lihua Xu. 2019. StoryDroid: Automated Generation of Storyboard for Android Apps. In Proc. ICSE.

Digital Library

[29]

Sen Chen, Lingling Fan, Guozhu Meng, Ting Su, Minhui Xue, Yinxing Xue, Yang Liu, and Lihua Xu. 2020. An Empirical Assessment of Security Risks of Global Android Banking Apps. In Proc. ICSE.

Digital Library

[30]

Biplab Deka, Zifeng Huang, Chad Franzen, Joshua Hibschman, Daniel Afergan, Yang Li, Jeffrey Nichols, and Ranjitha Kumar. 2017. Rico: A Mobile App Dataset for Building Data-Driven Design Applications. In Proc. UIST.

Digital Library

[31]

Biplab Deka, Zifeng Huang, and Ranjitha Kumar. 2016. ERICA: Interaction Mining Mobile Apps. In Proc. UIST.

Digital Library

[32]

Yue Duan, Mu Zhang, Abhishek Vasisht Bhaskar, Heng Yin, Xiaorui Pan, Tongxin Li, Xueqiang Wang, and X Wang. 2018. Things you may not know about android (un)packers: a systematic study based on whole-system emulation. In Proc. NDSS.

[33]

Parvez Faruki, Hossein Fereidooni, Vijay Laxmi, Mauro Conti, and Manoj Gaur. 2016. Android Code Protection via Obfuscation Techniques: Past, Present and Future Directions. arXiv preprint arXiv:1611.10231 (2016).

[34]

Mahmoud Hammad, Joshua Garcia, and Sam Malek. 2018. A Large-scale Empirical Study on the Effects of Code Obfuscations on Android Apps and Anti-malware Products. In Proc. ICSE.

Digital Library

[35]

Jinho Jung, Hong Hu, David Solodukhin, Daniel Pagan, KyuHyung Lee, and Taesoo Kim. 2019. Fuzzification: Anti-Fuzzing Techniques. In Proc. USENIX Security.

[36]

Li Li, Tegawendé F. Bissyandé, Damien Octeau, and Jacques Klein. 2016. DroidRA: Taming Reflection to Support Whole-program Analysis of Android Apps. In Proc. ISSTA.

Digital Library

[37]

Yuanchun Li, Ziyue Yang, Yao Guo, and Xiangqun Chen. 2017. DroidBot: A Lightweight UI-guided Test Input Generator for Android. In Proc. ICSE.

[38]

Yun Ma, Yangyang Huang, Ziniu Hu, Xusheng Xiao, and Xuanzhe Liu. 2019. Paladin: Automated Generation of Reproducible Test Cases for Android Apps. In Proc. HotMobile.

Digital Library

[39]

Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An Input Generation System for Android Apps. In Proc. FSE.

Digital Library

[40]

Davide Maiorca, Davide Ariu, Igino Corona, Marco Aresu, and Giorgio Giacinto. 2015. Stealth attacks: An extended insight into the obfuscation effects on android malware. Computers & Security 51 (2015), 16--31.

Digital Library

[41]

Luka Malisa, Kari Kostiainen, Michael Och, and Srdjan Capkun. 2016. Mobile application impersonation detection using dynamic user interface extraction. In Proc. ESORICS.

[42]

Ke Mao, Mark Harman, and Yue Jia. 2016. Sapienz: Multi-objective Automated Testing for Android Applications. In Proc. ISSTA.

Digital Library

[43]

Tuan Anh Nguyen and Christoph Csallner. 2015. Reverse Engineering Mobile Application User Interfaces with REMAUI. In Proc. ASE.

Digital Library

[44]

John W. Pratt. 1959. Remarks on zeros and ties in the Wilcoxon signed rank procedures. J. Amer. Statist. Assoc. (1959).

[45]

Chuangang Ren, Peng Liu, and Sencun Zhu. 2017. WindowGuard: Systematic Protection of GUI Security in Android. In Proc. NDSS.

[46]

Chuangang Ren, Yulong Zhang, Hui Xue, Tao Wei, and Peng Liu. 2015. Towards Discovering and Understanding Task Hijacking in Android. In Proc. USENIX Sec.

[47]

Atanas Rountev and Dacong Yan. 2014. Static Reference Analysis for GUI Objects in Android Software. In Proc. CGO.

Digital Library

[48]

Yuru Shao, Xiapu Luo, Chenxiong Qian, Pengfei Zhu, and Lei Zhang. 2014. Towards a scalable resource-driven approach for detecting repackaged android applications. In Proc. ACSAC.

Digital Library

[49]

Charlie Soh, Hee Beng Kuan Tan, Yauhen Leanidavich Arnatovich, and Lipo Wang. 2015. Detecting clones in android applications through analyzing user interfaces. In Proc. ICPC.

Digital Library

[50]

Ting Su, Guozhu Meng, Yuting Chen, Ke Wu, Weiming Yang, Yao Yao, Geguang Pu, Yang Liu, and Zhendong Su. 2017. Guided, Stochastic Model-based GUI Testing of Android Apps. In Proc FSE.

Digital Library

[51]

Mingshen Sun, Mengmeng Li, and John Lui. 2015. DroidEagle: Seamless detection of visually similar Android apps. In Proc. WiSec.

Digital Library

[52]

Y. Tang, Y. Sui, H. Wang, X. Luo, H. Zhou, and Z. Xu. 2020. All Your App Links are Belong to Us: Understanding the Threats of Instant Apps based Attacks. In Proc. ESEC/FSE.

[53]

Raja Vallée-Rai, Etienne Gagnon, Laurie Hendren, Patrick Lam, Patrice Pominville, and Vijay Sundaresan. 2000. Optimizing Java bytecode using the Soot framework: Is it feasible?. In Proc. CC.

[54]

Pei Wang, Qinkun Bao, Li Wang, Shuai Wang, Zhaofeng Chen, Tao Wei, and Dinghao Wu. 2018. Software Protection on the Go: A Large-scale Empirical Study on Mobile App Obfuscation. In Proc. ICSE.

Digital Library

[55]

Wenyu Wang, Dengfeng Li, Wei Yang, Yurui Cao, Zhenwen Zhang, Yuetang Deng, and Tao Xie. 2018. An Empirical Study of Android Test Generation Tools in Industrial Cases. In Proc. ASE.

Digital Library

[56]

Frank Wilcoxon. 1945. Individual comparisons by ranking methods. Breakthroughs in statistics (1945).

[57]

Lei Xue, Xiapu Luo, Le Yu, Shuai Wang, and Dinghao Wu. 2017. Adaptive unpacking of Android apps. In Proc. ICSE.

Digital Library

[58]

L. Xue, H. Zhou, X. Luo, L. Yu, D. Wu, Y. Zhou, and X. Ma. 2020. PackerGrind: An Adaptive Unpacking System for Android Apps. IEEE Transactions on Software Engineering (2020).

[59]

Shengqian Yang, Dacong Yan, Haowei Wu, Yan Wang, and Atanas Rountev. 2015. Static Control-flow Analysis of User-driven Callbacks in Android Applications. In Proc ICSE.

[60]

Shengqian Yang, Hailong Zhang, Haowei Wu, Yan Wang, Dacong Yan, and Atanas Rountev. 2015. Static Window Transition Graphs for Android. In Proc. ASE.

Digital Library

[61]

Shengqian Yang, Hailong Zhang, Haowei Wu, Yan Wang, Dacong Yan, and Atanas Rountev. 2015. Static window transition graphs for android. In Proc. ASE.

Digital Library

[62]

L. Yu, J. Chen, H. Zhou, X. Luo, and K. Liu. 2018. Localizing Function Errors in Mobile Apps with User Reviews. In Proc. DSN.

[63]

Shengcheng Yu, Chunrong Fang, Yang Feng, Wenyuan Zhao, and Zhenyu Chen. 2019. LIRAT: Layout and Image Recognition Driving Automated Mobile Testing of Cross-Platform. In Proc. ASE).

Digital Library

[64]

Shengtao Yue, Weizan Feng, Jun Ma, Yanyan Jiang, Xianping Tao, Chang Xu, and Jian Lu. 2017. RepDroid: an automated tool for Android application repackaging detection. In Proc. ICPC.

Digital Library

[65]

Fangfang Zhang, Heqing Huang, Sencun Zhu, Dinghao Wu, and Peng Liu. 2014. ViewDroid: Towards obfuscation-resilient mobile application repackaging detection. In Proc. WiSec.

Digital Library

[66]

Yueqian Zhang, Xiapu Luo, and Haoyang Yin. 2015. DexHunter: toward extracting hidden code from packed Android applications. In Proc. ESORICS.

[67]

Dehai Zhao, Zhenchang Xing, Chunyang Chen, Xiwei Xu, Liming Zhu, Guoqiang Li, and Jinshui Wang. 2020. Seenomaly: Vision-Based Linting of GUI Animation Effects Against Design-Don Guidelines. In Proc. ICSE.

Digital Library

Cited By

Tang YWang HZhan XLuo XZhou YZhou HYan QSui YKeung J(2022)A Systematical Study on Application Performance Management Libraries for AppsIEEE Transactions on Software Engineering10.1109/TSE.2021.307765448:8(3044-3065)Online publication date: 1-Aug-2022
https://doi.org/10.1109/TSE.2021.3077654
Ma JSun QXu CTao X(2022)GridDroid—An Effective and Efficient Approach for Android Repackaging Detection Based on Runtime Graphical User InterfaceJournal of Computer Science and Technology10.1007/s11390-021-1659-337:1(147-181)Online publication date: 31-Jan-2022
https://dl.acm.org/doi/10.1007/s11390-021-1659-3
Zhao KZhou HZhu YZhan XZhou KLi JYu LYuan WLuo XKim YKim JVigna GShi E(2021)Structural Attack against Graph Based Android Malware DetectionProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3485387(3218-3235)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3485387
Show More Cited By

Index Terms

UI obfuscation and its effects on automated UI analysis for Android apps
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

Pro Android UI
Smashing Android UI: Responsive User Interfaces and Design Patterns for Android Phones and Tablets
Understanding Illicit UI in iOS Apps Through Hidden UI Analysis
In <italic>Chameleon</italic> apps, benign UIs are displayed during Apple App vetting while their hidden potentially-harmful illicit UIs (<italic>PHI-UI</italic>) are revealed once they reached App Store. In this article, we report the <italic>first</...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASE '20: Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering

December 2020

1449 pages

ISBN:9781450367684

DOI:10.1145/3324884

General Chair:
John Grundy,
Program Chairs:
Claire Le Goues,
David Lo

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 January 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

ASE '20

Sponsor:

ASE '20: 35th IEEE/ACM International Conference on Automated Software Engineering

December 21 - 25, 2020

Virtual Event, Australia

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
214
Total Downloads

Downloads (Last 12 months)43
Downloads (Last 6 weeks)0

Reflects downloads up to

Other Metrics

View Author Metrics

Citations

Cited By

Tang YWang HZhan XLuo XZhou YZhou HYan QSui YKeung J(2022)A Systematical Study on Application Performance Management Libraries for AppsIEEE Transactions on Software Engineering10.1109/TSE.2021.307765448:8(3044-3065)Online publication date: 1-Aug-2022
https://doi.org/10.1109/TSE.2021.3077654
Ma JSun QXu CTao X(2022)GridDroid—An Effective and Efficient Approach for Android Repackaging Detection Based on Runtime Graphical User InterfaceJournal of Computer Science and Technology10.1007/s11390-021-1659-337:1(147-181)Online publication date: 31-Jan-2022
https://dl.acm.org/doi/10.1007/s11390-021-1659-3
Zhao KZhou HZhu YZhan XZhou KLi JYu LYuan WLuo XKim YKim JVigna GShi E(2021)Structural Attack against Graph Based Android Malware DetectionProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3485387(3218-3235)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3485387
Nguyen TNguyen DSchilling MWang GBackes MCao JHo Au MLin ZYung M(2021)Measuring User Perception for Detecting Unexpected Access to Sensitive Resource in Mobile AppsProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3437511(578-592)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3437511
Zungur OBianchi AStringhini GEgele M(2021)AppJitsu: Investigating the Resiliency of Android Applications2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00038(457-471)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00038

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents