Embedded Files
It's a common sense that iOS app is obfuscated as Android app does. To characterize the obfuscation in Apple's ecosystem, we make a study on the obfuscation of iOS apps.
NOTE: In our paper, we perform the same experiment on 1,300 seed apps, with the result that none of the app is obfuscated.
Experiment design: To the best of our knowledge, an obfuscator or a developer always translates the string, symbol of an iOS app to un-readable string or symbol for obfuscation. To infer whether a given string is nonsense or meaningful, we adopt the module Nostril [1]to inspect metadata generated by class-dump. After retrieving metadata of iOS apps, we predict the obfuscated app one-by-one. Percentage of the meaningful string is calculated in the mean time. The random selected 3,006 apps are tested. Code for this survey can be found on our GitHub repository.
[1] Michael Hucka: Nostril: A nonsense string evaluator written in Python. J. Open Source Software 3(25): 596 (2018)
To prove our code worked, we use obfuscated iOS apps that come across when analyzing Cydia (a third-party app store) app. Till now, only 2 apps is obfuscated in our collection. (as left figure depicted). The percentage of meaningful string take 0.8518730340291678 and 0.9173333333333333 separately.
Experiment result
Experiment result
As depicted in left figure, the meaningful string takes high percentage of most iTunes apps, compared to above data, there is an obvious distinction between the obfuscated and non-obfuscated apps.
We deliberately select apps, which meaningful string take lower than 0.99 (12 apps in total) and check them one by one, these apps are:
- com.1008tv.zssp.txt: 0.942442099493
- com.alexcoder.nogoomfm.txt: 0.972972972973
- batsu.cassetteplayer.txt: 0.973333333333
- com.linbunchan.khmersong.txt: 0.979797979798
- com.amakusaweb.TuningTone.txt: 0.982300884956
- browserandmp3.txt: 0.983333333333
- com.batalsoft.Drum-Solo-HD.txt: 0.985915492958
- com.sgbsoft.radyoturk.txt: 0.985915492958
- com.fmv.8bitdrums.txt: 0.986013986014
- com.grahamchance.drumfree.txt: 0.988304093567
- com.shiningcode.iphonenotegoal.txt: 0.989336492891
- com.pavelarteev.bestguitartuner.txt: 0.989473684211
At last, Only the 1 (the marked) app is verified obfuscated among the 3,006 apps.
iTunes app obfuscation is obviously a corner case that we need not to consider in current stage. The lay behind reasons maybe:
- Unlike the Android obfuscate mechanism which provide a map between the obfuscated code and source code, the iOS developer give up collecting runtime information of the app if it is obfuscated.
- There is almost no desire for iOS app obfuscation, for it's hard to collect and decompile than Android.
- Obfuscation is a violation to Apple's policy.
Google Sites
Report abuse