App repackaging remains a serious threat to the emerging mobile
app ecosystem. Previous solutions have mostly focused on the
postmortem detection of repackaged apps by measuring similarity
among apps. In this paper, we propose DIVILAR, a virtualization
based protection scheme to enable self-defense of Android apps
against app repackaging. Specifically, it re-encodes an Android
app in a diversified virtual instruction set and uses a specialized
execute engine for these virtual instructions to run the protected
app. However, this extra layer of execution may cause significant
performance overhead, rendering the solution unacceptable
for daily use. To address this challenge, we leverage a light
weight hooking mechanism to hook into Dalvik VM, the execution
engine for Dalvik bytecode, and piggy-back the decoding of virtual
instructions to that of Dalvik bytecode. By compositing virtual
and Dalvik instruction execution, we can effectively eliminate this
extra layer of execution and significantly reduce the performance
overhead. We have implemented a prototype of DIVILAR. Our
evaluation shows that DIVILAR is resilient against existing static
and dynamic analysis, including these specific to VM-based protection.
Further performance evaluation demonstrates its efficiency
for daily use (an average of 16.2% and 8.9% increase to the start
time and run time, respectively).
app ecosystem. Previous solutions have mostly focused on the
postmortem detection of repackaged apps by measuring similarity
among apps. In this paper, we propose DIVILAR, a virtualization
based protection scheme to enable self-defense of Android apps
against app repackaging. Specifically, it re-encodes an Android
app in a diversified virtual instruction set and uses a specialized
execute engine for these virtual instructions to run the protected
app. However, this extra layer of execution may cause significant
performance overhead, rendering the solution unacceptable
for daily use. To address this challenge, we leverage a light
weight hooking mechanism to hook into Dalvik VM, the execution
engine for Dalvik bytecode, and piggy-back the decoding of virtual
instructions to that of Dalvik bytecode. By compositing virtual
and Dalvik instruction execution, we can effectively eliminate this
extra layer of execution and significantly reduce the performance
overhead. We have implemented a prototype of DIVILAR. Our
evaluation shows that DIVILAR is resilient against existing static
and dynamic analysis, including these specific to VM-based protection.
Further performance evaluation demonstrates its efficiency
for daily use (an average of 16.2% and 8.9% increase to the start
time and run time, respectively).
more here.............http://www.cs.fsu.edu/~zwang/files/codaspy14_2.pdf