Research And Design Of Android Application Protection By Memory Information Hiding

With the increasing popularity and adoption of Android-based smartphones, more and more attackers target Android Applications, which suffer badly from reversing and repackaging problems, as well as malware problem. What's more, researches have showed that most of the malwares are repackaged versions of legitimate applications. Current solutions have mostly focused on postmortem detection of repackaged applications and malwares. Lately, packing has been proposed to enable self-defense for Android applications. However, current Android app packing systems all ignore the memory hacking threat, which enables attackers to reverse and repackage the application. To address this problem, the memory hacking threat on Android is firstly analyzed and then a method of memory information hiding is proposed in this thesis. By hiding the executable code in the process memory, it increases the difficulty for attackers to get the intact executable file, which consequently increases the attack cost of reversing and repackaging.The study consists of the following three aspects:(1) The memory hacking threat on Android is deeply analyzed from an attacker's point of view. The Attack model is presented and a quantitative analysis of the attack cost is provided.(2) To address the memory hacking problem, a method of memory information hiding, which is a combination of executable code fragmentation, dynamic loading of key functions and anti-debugging, is proposed. First, executable code fragmentation maintains the executable file as several pieces located in separated memory areas throughout the application's whole lifecycle, which dramatically increases the difficulty for attackers to locate the dex file; second, in dynamic loading of key functions, only when a class is loaded, that the instruction set of each function in this class is written back to the memory space, which greatly increases the difficulty for attackers to recover the executable file; third, in order to increase the attack cost of memory dumping further, anti-debugging protection is added into the protected application. At each data processing point, the debugging state is inspected and correspondingly responded, which makes it more difficult for attackers to access the memory.(3) A prototype system of DexHide is designed and implemented according to the proposed protection scheme. Theoretical and experimental analysis on DexHide shows that DexHide can effectively protect applications with reasonable performance overhead.