Android系统应用程序DEX文件保护方法研究

doi:10.3969/j.issn.1671-1122.2020.07.007

摘要/Abstract

摘要：

针对函数级DEX文件保护方法在函数修复过程中难以抵御动态恢复攻击且无法兼容ART虚拟机的问题,文章提出一种基于函数抽取和隐式恢复的DEX文件保护方法。该方法首先对DEX文件中的关键函数进行抽取,然后对DEX文件进行重构、整体加密、重命名和隐藏,接着通过修改APP启动入口和更换smali文件实现加壳,最后添加修复SO库完成对APK的加固。应用程序启动时,利用壳程序解密获取原DEX文件,并将原DEX解析加载到内存中,分别基于Dalvik虚拟机和ART虚拟机对加固函数进行修复,正常执行应用程序内部逻辑。以自主开发APK中的DEX文件为实验对象进行实验,结果表明,该方法能有效抵御静态分析和动态恢复攻击,同时能兼容两种虚拟机,且函数运行的时间增量为常量。

关键词: Android, DEX文件保护, 函数抽取, 隐式恢复

Abstract:

Aiming at the problem that the existing DEX file protection method is difficult to resist dynamic recovery attack and cannot be compatible with ART virtual machine, a DEX file protection method based on function extraction and implicit recovery is proposed. The method first extracts the key functions in the DEX file, then reconstructs, encrypts, renames and hides the DEX file, and then adds the shell by modifying the APP startup entry and replacing the smali file, and finally adding the repair SO library to complete the reinforcement of the APK. When the application starts, the shell program is used to decrypt and obtain the original DEX file, and the original DEX parsing is loaded into the memory. Finally, the hardening function is repaired based on the Dalvik virtual machine and the ART virtual machine respectively, and the internal logic of the application is normally executed. Take the DEX files in the self-developed APK as experimental subjects. The experimental results show that the proposed method can effectively resist static analysis and dynamic recovery attacks, and is compatible with both virtual machines, and the time increment of function running is constant.

Key words: Android, DEX file protection, function extraction, implicit recovery

中图分类号:

TP309

袁晓筱, 罗森林, 杨鹏. Android系统应用程序DEX文件保护方法研究[J]. 信息网络安全, 2020, 20(7): 60-69.

YUAN Xiaoxiao, LUO Senlin, YANG Peng. Research on Android Application DEX File Protection Method[J]. Netinfo Security, 2020, 20(7): 60-69.

图/表 15

图1

图2

表1

图3

图4

图5

图6

表2

表3

表4

图7

图8

图9

图10

表5

参考文献 26

[1]	CHRISTIAN C, CLARK T, DOUGLAS L. A Taxonomy of Obfuscating Transformations[R]. New Zealand: University of Auckland, TR# 148, 1997.
[2]	SCHULZ P. Code Protection in Android[R]. Germany: Rheinische Friedrich-Wilhelms-Universitgt Bonn, TR# 110, 2012.
[3]	SHU Junliang, LI Juanru, ZHANG Yuanyuan, et al. Android APP Protection via Interpretation Obfuscation[C]// IEEE. 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing (DASC), August 20-22, 2014, Dalian, China. New York: IEEE, 2014: 63-68.
[4]	WANG Dejia, SONG Chao, LIU Jiajung. Deep Code Obfuscation Method for Android System Application : China, 103544414A[P]. 2014.
	汪德嘉, 宋超, 刘家郡. 一种Android 系统应用的深度代码混淆方法: 中国,103544414A[P]. 2014.
[5]	LIU Fangyuan, MENG Xianjia, TANG Zhanyong, et al. Android Application Protection Method Based on Smali Code Obfuscation[J]. Journal of Shandong University, 2017,52(3):44-50.
	刘方圆, 孟宪佳, 汤战勇, 等. 基于smali代码混淆的Android应用保护方法[J]. 山东大学学报(理学版), 2017,52(3):44-50.
[6]	SU Yuanqing. Research on Android-based Software Protection Based on Dynamic Loading[D]. Xi'an: Xidian University, 2014.
	宿元庆. Android基于动态加载的软件保护研究[D]. 西安:西安电子科技大学, 2014.
[7]	DONG Hang. Research on Mobile Application Monitoring and Protection Technology[D]. Beijing: Beijing University of Posts and Telecommunications, 2014.
	董航. 移动应用程序检测与防护技术研究[D]. 北京:北京邮电大学, 2014.
[8]	ZHU Hongjun, CHEN Yaoguang, HUA Baojian, et al. An Android Application Reinforcement Solution[J]. Computer Application and Software, 2016,11(33):297-300, 320.
	朱洪军, 陈耀光, 华保健, 等. 一种Android应用加固方案[J]. 计算机应用与软件, 2016,11(33):297-300,320.
[9]	KIM N K, SHIM J, CHO S, et al. Android Application Protection Against Static Reverse Engineering Based on MultiDexing[J]. Journal of Internet Services and Information Security, 2016,11(6):54-64.
[10]	ZHOU W, WANG Z, ZHOU Y Z. et al. DIVILAR: Diversifying Intermediate Language for Anti-repacking on Android Platform[C]// SIGSAC. 4th ACM Conference on Data and Application Security and Privacy, March 15-17, 2014, San Antonio Texas USA. New York: ACM, 2014: 199-210.
[11]	WANG Zehua. Research and Implementation of Android Software Security Hardening Technology[D]. Chengdu: University of Electronic Science and Technology of China, 2016.
	王泽华. Android软件安全加固技术研究与实现[D]. 成都:电子科技大学, 2016.
[12]	LIU Jiajia. Research on An Application Protection Method Based on Virtual Machine Customization[D]. Nanjing: Nanjing University of Science and Technology, 2017.
	刘佳佳. 一种基于虚拟机定制的应用保护方法研究[D]. 南京:南京理工大学, 2017.
[13]	Tencent Cloud. Tencent Legu[EB/OL]. https://www.qcloud.com/product/cr.html, 2017-3-9.
	腾讯云. 腾讯乐固[EB/OL]. https://www.qcloud.com/product/cr.html, 2017-3-9.
[14]	Bangbang Safety. Bangbang Reinforcement[EB/OL]. http://www.bangcle.com, 2017-11-10.
	梆梆安全. 梆梆加固[EB/OL]. http://www.bangcle.com, 2017-11-10.
[15]	LIU Huiming. Android Application Automatic Localization and Obfuscation Sysytem[J]. Microelectronics and Computer, 2016,33(10):50-62.
	刘惠明. 安卓应用自动原生化及混淆系统[J]. 微电子学与计算机, 2016,33(10):50-62.
[16]	MULLINER C. Android DDI: Introduction to Dynamic Dalvik Instrumentation[EB/OL]. https://github.com/crmulliner/ddi, 2019-5-11.
[17]	Hey-Rays . IDA[EB/OL]. https://www.hex-rays.com/products/ida/index.shtml, 2015-5-27.
[18]	Google. Apktool[EB/OL]. http://www.softpedia.com/get/Programming/Debuggers-Dec-ompilers-Dissase-mblers/ApkTool.html, 2017-9-22.
[19]	Android Open Source. Dalvik Executable File Format[EB/OL]. https://source.androi-d.google.cn/devices/tech/dalvik/dexformat?hl=zh-cn, 2017-8-23.
[20]	Lambdalang . DexExtractor[EB/OL]. https://github.com/lambdalang/DexExtractor, 2015-7-11.
[21]	Oracle. Java[EB/OL]. http://www.java.com, 2019-5-12.
[22]	Android Open Source Project. Dalvik and Dalvik Virtual Machine[EB/OL]. http://code.google.com/p/dalvik/, 2019-5-12.
[23]	Android Open Source Project. Bytecode for the Dalvik VM[EB/OL]. http://source.android.com/tech/dalvik/dalvik-bytecode.html, 2019-5-12.
[24]	RYSZARD W, CONNOR T. Apktool[EB/OL]. https://ibotpeaibot.github.io/Apktool/, 2019-5-3.
[25]	SKYLOT . Dex to Java Decompiler[EB/OL]. https://github.com/skylot/jadx, 2019-5-12.
[26]	SWEETSCAPE SOFTWARE. 010 Editor[EB/OL]. https://www.sweetscape.com/010editor/, 2019-4-26.

文件或目录	内容描述
AndroidManifest.xml	Android清单文件
classes.dex	classes文件经过编译后的dex字节码
resource.arcs	资源配置文件
META-INF/	Metadata infomation元数据信息目录,用于存放签名信息
res/	存放Android资源文件的目录
libs/	Android依赖的Native库的目录
assets/	存放需要打包到APK中的静态文件

函数编号	函数名	函数签名	字节码大小/ B
M-1	ProMethod1	(Ljava.lang.String;) Ljava.lang.String;	122
M-2	ProMethod2	([I)I	68
M-3	ProMethod3	()V	192
M-4	ProMethod4	([CII)I	60

设备制造商	型号	Android 版本	内核版本	内存大小	设备总存储
三星	GT-I9508	4.4.2	3.4.0-6844117	2 GB	16 GB
三星	Galaxy S9	5.1	3.18.31	4 GB	16 GB
华为	Nexus 6P	7.1.2	3.10.73	3 GB	32 GB

软件名	软件说明
apktool v2.4.0	APK文件的反编译和重打包工具
jadx	DEX文件反编译工具和JAR文件解析阅读工具
010Editor	二进制文件阅读器
DDMS	Dalvik虚拟机调试和监控工具
DexExtractor	动态脱壳工具

函数编号	加固/us	未加固/us	增量/us	增率
M-1	14763.1	14692.2	70.9	0.48%
M-2	141.3	90.1	51.2	56.82%
M-3	372.4	322.1	50.3	15.61%
M-4	2819.4	2735.7	83.7	3.05%