DOI QR코드

DOI QR Code

Robust Anti Reverse Engineering Technique for Protecting Android Applications using the AES Algorithm

AES 알고리즘을 사용하여 안드로이드 어플리케이션을 보호하기 위한 견고한 역공학 방지기법

  • 김정현 (동의대학교 전산정보부) ;
  • 이강승 (동의대학교 컴퓨터공학과)
  • Received : 2015.01.05
  • Accepted : 2015.07.16
  • Published : 2015.09.15

Abstract

Classes.dex, which is the executable file for android operation system, has Java bite code format, so that anyone can analyze and modify its source codes by using reverse engineering. Due to this characteristic, many android applications using classes.dex as executable file have been illegally copied and distributed, causing damage to the developers and software industry. To tackle such ill-intended behavior, this paper proposes a technique to encrypt classes.dex file using an AES(Advanced Encryption Standard) encryption algorithm and decrypts the applications encrypted in such a manner in order to prevent reverse engineering of the applications. To reinforce the file against reverse engineering attack, hash values that are obtained from substituting a hash equation through the combination of salt values, are used for the keys for encrypting and decrypting classes.dex. The experiments demonstrated that the proposed technique is effective in preventing the illegal duplication of classes.dex-based android applications and reverse engineering attack. As a result, the proposed technique can protect the source of an application and also prevent the spreading of malicious codes due to repackaging attack.

안드로이드 운영체제의 실행파일인 classes.dex파일은 Java 바이트코드 형식이므로 누구나 쉽게 역공학으로 소스코드를 분석하고 수정이 가능하다. 이러한 특징 때문에 많은 어플리케이션들이 불법 복제되어 유통됨에 따라 피해가 증가하고 있다. 이러한 문제를 해결하기 위해 본 논문은 classes.dex파일을 AES 암호화 알고리즘으로 암호화하여 배포하고, 암호화된 어플리케이션을 복호화하여 실행하는 어플리케이션 불법복제를 방지하는 기법을 제안한다. 암호화 및 복호화에 사용되는 Key는 랜덤한 값인 Salt값를 기반으로 조합하여 Hash함수에 대입하여 얻어진 Hash값을 Key로 사용하여 역공학 공격으로부터 견고함을 더했다. 실험을 통해 제안한 기법이 어플리케이션의 불법복제를 방지하는데 효과적이고, 역공학 공격을 불가능하게 하여 어플리케이션의 원천기술 보호와 리패키징으로 인한 악성코드의 전파도 방지할 수 있음을 보였다.

Keywords

References

  1. Gartner. (2013, August 14). Worldwide Smartphone Sales to End Users by Operating System in 2Q13 [Online]. Available: http://www.gartner.com/newsroom/id/2573415
  2. AhnLab, Analysis of mobile malicious code, Vol.26, pp. 25-30. ASEC Report, Korea, Mar. 2012.
  3. Google Android Developer. LVL(License Verification Library) Overview [Online]. Available: http://developer.android.com/google/play/licensing/overview.html
  4. Google Android Developer. Proguard [Online]. Available: http://developer.android.com/tools/help/proguard.html
  5. Justin Case. (2012, June 5). Google's Android Market License Verification Easily Circumvented, Will Not Stop Pirates [Online]. Available: http://www.androidpolice.com/2010/08/23/exclusive-report-googles-android-market-license-verification-easily-circumvented-will-not-stop-pirates/
  6. T Store Developer Center. Android Application Rights Management 3.0 Developer Guide. Version 1.0.2., pp. 7-10. SK Planet, Korea, Apr. 2013.
  7. Ko, Myung Han, A Study of the Security Verification Measures of a Smartphone Application. The Graduate School of Information & Communications Sungkyunkwan University, Feb. 2013.
  8. Kim, Hee Moon, Protection Framework for Android Application by Encrypting DEX files. The Graduate School of Hanyang University, Feb. 2011.
  9. Choi, Chul Hee, AES encryption algorithm with techniques to prevent Java decompiling. The Graduate School of Information Chung-Ang University, Aug. 2012.