Field experience with obfuscating million-user iOS apps in large enterprise mobile development

Pei Wang, Dinghao Wu, Zhaofeng Chen, Tao Wei

Research output: Contribution to journalArticle

Abstract

In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now common that a mobile app serves millions of users across the globe. By examining the code of these apps, reverse engineers can learn various knowledge about the design and implementation of the apps. Real-world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app-provided services for unrightful profits, leading to significant financial losses. One of the most viable mitigations against malicious reverse engineering is to obfuscate the apps. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. We especially focus on factors that are unique to mobile software development that may affect the design and deployment of obfuscation techniques. We report the outcome of our obfuscation with empirical experiments. We additionally elaborate on the follow-up case studies about how our obfuscation affected the app publication process and how we responded to the negative impacts. This experience report can benefit mobile developers, security service providers, and Apple as the administrator of the iOS ecosystem.

Original languageEnglish (US)
Pages (from-to)252-273
Number of pages22
JournalSoftware - Practice and Experience
Volume49
Issue number2
DOIs
StatePublished - Feb 1 2019

Fingerprint

Application programs
Industry
Reverse engineering
Ecosystems
Software engineering
Profitability
Internet
Engineers

All Science Journal Classification (ASJC) codes

  • Software

Cite this

@article{32aa0bce4309460f9e2584f143a75861,
title = "Field experience with obfuscating million-user iOS apps in large enterprise mobile development",
abstract = "In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now common that a mobile app serves millions of users across the globe. By examining the code of these apps, reverse engineers can learn various knowledge about the design and implementation of the apps. Real-world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app-provided services for unrightful profits, leading to significant financial losses. One of the most viable mitigations against malicious reverse engineering is to obfuscate the apps. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. We especially focus on factors that are unique to mobile software development that may affect the design and deployment of obfuscation techniques. We report the outcome of our obfuscation with empirical experiments. We additionally elaborate on the follow-up case studies about how our obfuscation affected the app publication process and how we responded to the negative impacts. This experience report can benefit mobile developers, security service providers, and Apple as the administrator of the iOS ecosystem.",
author = "Pei Wang and Dinghao Wu and Zhaofeng Chen and Tao Wei",
year = "2019",
month = "2",
day = "1",
doi = "10.1002/spe.2648",
language = "English (US)",
volume = "49",
pages = "252--273",
journal = "Software - Practice and Experience",
issn = "0038-0644",
publisher = "John Wiley and Sons Ltd",
number = "2",

}

Field experience with obfuscating million-user iOS apps in large enterprise mobile development. / Wang, Pei; Wu, Dinghao; Chen, Zhaofeng; Wei, Tao.

In: Software - Practice and Experience, Vol. 49, No. 2, 01.02.2019, p. 252-273.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Field experience with obfuscating million-user iOS apps in large enterprise mobile development

AU - Wang, Pei

AU - Wu, Dinghao

AU - Chen, Zhaofeng

AU - Wei, Tao

PY - 2019/2/1

Y1 - 2019/2/1

N2 - In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now common that a mobile app serves millions of users across the globe. By examining the code of these apps, reverse engineers can learn various knowledge about the design and implementation of the apps. Real-world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app-provided services for unrightful profits, leading to significant financial losses. One of the most viable mitigations against malicious reverse engineering is to obfuscate the apps. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. We especially focus on factors that are unique to mobile software development that may affect the design and deployment of obfuscation techniques. We report the outcome of our obfuscation with empirical experiments. We additionally elaborate on the follow-up case studies about how our obfuscation affected the app publication process and how we responded to the negative impacts. This experience report can benefit mobile developers, security service providers, and Apple as the administrator of the iOS ecosystem.

AB - In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now common that a mobile app serves millions of users across the globe. By examining the code of these apps, reverse engineers can learn various knowledge about the design and implementation of the apps. Real-world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app-provided services for unrightful profits, leading to significant financial losses. One of the most viable mitigations against malicious reverse engineering is to obfuscate the apps. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. We especially focus on factors that are unique to mobile software development that may affect the design and deployment of obfuscation techniques. We report the outcome of our obfuscation with empirical experiments. We additionally elaborate on the follow-up case studies about how our obfuscation affected the app publication process and how we responded to the negative impacts. This experience report can benefit mobile developers, security service providers, and Apple as the administrator of the iOS ecosystem.

UR - http://www.scopus.com/inward/record.url?scp=85056261572&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85056261572&partnerID=8YFLogxK

U2 - 10.1002/spe.2648

DO - 10.1002/spe.2648

M3 - Article

AN - SCOPUS:85056261572

VL - 49

SP - 252

EP - 273

JO - Software - Practice and Experience

JF - Software - Practice and Experience

SN - 0038-0644

IS - 2

ER -