TY - GEN

T1 - A large scale investigation of obfuscation use in google play

AU - Wermke, Dominik

AU - Huaman, Nicolas

AU - Acar, Yasemin

AU - Reaves, Bradley

AU - Traynor, Patrick

AU - Fahl, Sascha

N1 - Funding Information: This work was supported in part by the National Science Foundation under grant numbers CNS-1526718 and CNS-1562485. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reect the views of the National Science Foundation.

PY - 2018/12/3

Y1 - 2018/12/3

N2 - Android applications are frequently plagiarized or repackaged, and software obfuscation is a recommended protection against these practices. However, there is very little data on the overall rates of app obfuscation, the techniques used, or factors that lead to developers to choose to obfuscate their apps. In this paper, we present the first comprehensive analysis of the use of and challenges to software obfuscation in Android applications. We analyzed 1.7 million free Android apps from Google Play to detect various obfuscation techniques, finding that only 24.92% of apps are obfuscated by the developer. To better understand this rate of obfuscation, we surveyed 308 Google Play developers about their experiences and attitudes about obfuscation. We found that while developers feel that apps in general are at risk of plagiarism, they do not fear theft of their own apps. Developers also report difficulties obfuscating their own apps. To better understand, we conducted a follow-up study where the vast majority of 70 participants failed to obfuscate a realistic sample app even while many mistakenly believed they had been successful. These findings have broad implications both for improving the security of Android apps and for all tools that aim to help developers write more secure software.

AB - Android applications are frequently plagiarized or repackaged, and software obfuscation is a recommended protection against these practices. However, there is very little data on the overall rates of app obfuscation, the techniques used, or factors that lead to developers to choose to obfuscate their apps. In this paper, we present the first comprehensive analysis of the use of and challenges to software obfuscation in Android applications. We analyzed 1.7 million free Android apps from Google Play to detect various obfuscation techniques, finding that only 24.92% of apps are obfuscated by the developer. To better understand this rate of obfuscation, we surveyed 308 Google Play developers about their experiences and attitudes about obfuscation. We found that while developers feel that apps in general are at risk of plagiarism, they do not fear theft of their own apps. Developers also report difficulties obfuscating their own apps. To better understand, we conducted a follow-up study where the vast majority of 70 participants failed to obfuscate a realistic sample app even while many mistakenly believed they had been successful. These findings have broad implications both for improving the security of Android apps and for all tools that aim to help developers write more secure software.

KW - Android

KW - Obfuscation

KW - User Study

UR - http://www.scopus.com/inward/record.url?scp=85060065541&partnerID=8YFLogxK

U2 - 10.48550/arXiv.1801.02742

DO - 10.48550/arXiv.1801.02742

M3 - Conference contribution

AN - SCOPUS:85060065541

T3 - ACM International Conference Proceeding Series

SP - 222

EP - 235

BT - ACM International Conference Proceeding Series

PB - Association for Computing Machinery (ACM)

T2 - 34th Annual Computer Security Applications Conference, ACSAC 2018

Y2 - 3 December 2018 through 7 December 2018

ER -