Obfuscation fingerprinting in Android binaries

Abstract

There are many way to protect code from reverse engineering. One such way is to obfuscate either the source code, machine code or bytecode. Obfuscating Android applications not only makes it harder to reverse engineer, it can also speed up execution by reducing the size of the application and removing unnecessary code. One method of obfuscation is to do it manually and the other method is to use an obfuscation program. However, it may become necessary to reverse obfuscation, because of the loss of source code or when investigating malware, trojans, or other harmful applications. This process is called deobfuscation. Once an application has been obfuscated performing deobfuscation is a tedious task, and knowing how the application was obfuscated would increase the probability of correctly reversing the obfuscation. By examining four Android application obfuscators I successfully identified distinct fingerprints within each of the obfuscated binaries by building a simple Android application, obfuscating it, and then comparing obfuscated and unobfuscated bytecode. Using these fingerprints I was able to associate each obfuscator with an approximate probability that it was used to perform the obfuscation.