Android Control Flow Obfuscation Based on Dynamic Entry Points Modification

With over 85% market share, Android remains the most popular mobile device platform and incurs endless attacks to steal application developers' intellectual property. Code obfuscation techniques have been conventionally used to prevent application reverse engineering or tampering, and to protect intellectual property. However, existing control-flow obfuscation techniques are not sufficiently efficient and complex to resist the growing reverse engineering techniques. This paper presents a new control-flow obfuscation scheme for Android apps at the Dalvik bytecode level. Our proposed scheme goes beyond the common control-flow obfuscation schemes and make it nearly impossible for static analysis to determine the actual program control flows. Firstly, our scheme transforms the original Dalvik bytecode to redirect its control flow transfers. The redirection is implemented by replacing the invoked method of an invocation instruction to another method. Then our scheme dynamically recovers the control transfers in the transformed code to the original control transfer targets. Hence the transformed code produces the same execution results with the original code. The recovery is implemented by dynamically modifying the entry points of the Dalvik methods during app running. Those entry points are maintained by Android Runtime system. Our analysis and evaluation show that the scheme can implement effective obfuscation to hinder reverse engineering and code analysis with reasonable size, execution time, and execution memory overheads.