KR20200095122A - Apparatus and method for feature information extraction and similarity comparison of android app considering obfuscation - Google Patents

Abstract

The present invention provides a technique for an apparatus for extracting a feature point and the similarity to check whether an original app is used for an obfuscated Android application and a method thereof. The apparatus comprises: a feature extraction unit extracting an implicit intent component including an intent-filter in a lower tag in the AndroidManifest.xml of the comparison app; and a comparison unit calculating the similarity by comparing the information extracted by the feature extraction unit with the original app.

Description

Apparatus and method for extracting feature information and comparing similarity of Android app considering obfuscation {APPARATUS AND METHOD FOR FEATURE INFORMATION EXTRACTION AND SIMILARITY COMPARISON OF ANDROID APP CONSIDERING OBFUSCATION}

The present invention relates to an apparatus and method for extracting feature information of an Android app and comparing similarity in consideration of obfuscation, and more specifically, infringement of intellectual property rights such as theft, illegal copying, and unauthorized use of open source software for obfuscated Android apps. In order to confirm, this is a technology related to an apparatus and method for extracting feature points and comparing similarities.

In Android, game applications, healthcare apps, and financial apps contain intellectual property such as trade secrets, personal information, and financial information (credit card number, etc.). Malicious developers may develop similar or pirated apps by illegally stealing apps with high intellectual property value, and then disseminate and distribute them through online markets for their own business profit. In this case, in order to protect the intellectual property rights of the original developer, similar apps or illegally copied apps must be detected and blocked.

However, malicious developers sometimes apply code obfuscation to conceal the fact that the original was illegally stolen.

Code obfuscation refers to a technique that makes it difficult to interpret source code or executable code. Obfuscation can be largely divided into source code obfuscation and binary obfuscation (executable code obfuscation) depending on the target. Source code obfuscation is a technology that converts source codes such as C/C++/JAVA into a form that is difficult to recognize, while binary obfuscation is a technology that makes it difficult to analyze the binary generated after compilation by reverse engineering. Obfuscation techniques include layout obfuscation, control obfuscation (control flow obfuscation = control flow obfuscation), data obfuscation, and preventive transformations.

On the other hand, open-source is to open source codes or blueprints necessary for the process of developing a product so that anyone can access and read it. In general, open source software is called open source software. In addition, in addition to software, the open source model can be applied to hardware in which the development process or blueprint is disclosed, and the open source development model is sometimes applied to data such as fonts.

Some open source simply disclose the source, while others allow secondary creation. However, it is often not allowed freely for commercial use.

Referring to FIG. 1, in order to use (distribute, modify, expand, or improve) any open source, including secondary works derived from open source, the license of the corresponding open source must be observed. Representative open source licenses include GPL 2.0, GPL 3.0, LGPL, MIT, Apache, BSD, EPL, and MPL.

If you use it without complying with the open source license, it infringes intellectual property rights. Therefore, software development companies conduct a separate verification process for their own software to see if open source has been used.

However, malicious users are applying obfuscation technology in order to use open source licenses without permission. In general, it is difficult to determine whether obfuscated code is applied by simple comparison with the original open source. That is, conventional techniques for automatically evaluating similarity through comparison between character strings using various character strings as a bus mark cannot be applied.

Therefore, even if the application is obfuscated, there is a need for a technology that can check whether the open source software is applied. In particular, even when the source code is not given and only the executable code is given, there is a need for a technology that can identify whether the obfuscated executable code is created from open source or newly written.

Unexamined Patent Publication No. 10-2017-0079961

Accordingly, the present invention has been proposed to solve the problems of the prior art, and the object of the present invention is to check the infringement of intellectual property rights such as theft, illegal copying, and unauthorized use of open source software for obfuscated Android apps. For this purpose, it is an object to provide a technique for an apparatus and a method for extracting feature points and comparing similarities.

In order to achieve the above object, an apparatus for extracting feature information and comparing similarity of an Android app considering obfuscation according to the technical idea of the present invention is an intent filter in the tag hierarchy and lower tags in AndroidManifest.xml of the original app and the comparison app. A feature extractor for extracting an intent component including an (Intent-filter); And a comparison unit for calculating a similarity by comparing the information of the original app and the comparison app extracted by the feature extraction unit.

In addition, the feature extraction unit may be characterized in that it extracts the tag hierarchy using a depth-first search (DFS).

In addition, it may be characterized in that it further comprises a conversion unit for generating a string (String) of the original app and the comparison app by using the feature of the tag hierarchy.

In addition, the conversion unit may be characterized in that adding a name of the intent component to a character position related to the intent component in the string of the tag hierarchy.

In addition, the conversion unit may be characterized in that it converts the name of the intent component into a preset string length.

In addition, the conversion unit may be characterized in that the name of the intent component is signed with a hash function.

In addition, the hash function may be one of MD5, SHA-1, SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512), and SHA-3.

In addition, the comparison unit may be characterized in that the comparison unit calculates the similarity by comparing the character string of the comparison app generated by the conversion unit and the character string generated using the original app with a Longest Common Subsequence (LCS) algorithm. have.

On the other hand, in order to achieve the above object, in the method of extracting feature information and comparing similarity of an Android app in consideration of obfuscation according to the technical idea of the present invention, the feature extraction unit has a tag hierarchy and subordinate structure in AndroidManifest. Extracting an intent component including an intent-filter in the tag; And calculating a similarity by comparing the information of the original app and the comparison app extracted by the feature extraction unit by a comparison unit.

In addition, the feature extraction unit may be characterized in that it extracts the tag hierarchy using a depth-first search (DFS).

In addition, before the step of calculating the similarity by comparing the information of the original app and the comparison app extracted by the feature extraction unit by the comparison unit, the conversion unit uses the tag hierarchy feature to determine the comparison between the original app and the comparison app. It may be characterized in that it further comprises the step of generating a string (String).

In addition, the conversion unit may be characterized in that adding a name of the intent component to a character position related to the intent component in the string of the tag hierarchy.

In addition, the conversion unit may be characterized in that it converts the name of the intent component into a preset string length.

In addition, the conversion unit may be characterized in that the name of the intent component is signed with a hash function.

In addition, the hash function may be one of MD5, SHA-1, SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512), and SHA-3.

In addition, the comparison unit may be characterized in that the comparison unit calculates the similarity by comparing the character string of the comparison app generated by the conversion unit and the character string generated using the original app with a Longest Common Subsequence (LCS) algorithm. have.

In order to achieve the above object according to the present invention, according to an apparatus and method for extracting feature information and comparing similarity of an Android app in consideration of obfuscation according to the technical idea of the present invention,

First, since the tag hierarchy that is not affected by obfuscation is compared with the component name of the intent that is not obfuscated, even if the app infringing intellectual property rights such as unauthorized theft, illegal copying, and unauthorized use of open source software is obfuscated. The similarity to the original app can be calculated very accurately.

Second, since the component name is signed with a hash function (MD5, SHA-1, SHA-2, SHA-3, etc.), the degree to which the component name contributes to the increase in similarity increases, and the comparison app with the original app If the component names of are different, the signature is converted completely differently, so it does not affect the increase of similarity.

Third, applications that use the original app without permission have a high probability of including malicious actions such as malware, and thus can contribute to the application's malware diagnosis.

1 is a diagram showing a license type of open source software.
2 is a configuration diagram of an apparatus for extracting feature information and comparing similarity of an Android app in consideration of obfuscation according to an embodiment of the present invention.
3 is a diagram showing the contents and tags of an example AndroidManifest.xml expressed in a hierarchical structure.
4 is a view showing a comparison of AndroidManifest.xml of the original app and AndroidManifest.xml of a comparison app obfuscated after applying open source.
FIG. 5 is a diagram showing a similarity calculation result when a string listing component names of an original app and a string listing component names of an obfuscated comparison app are compared by a conventional method.
6 is a diagram showing the tag hierarchy added in AndroidManifest.xml.
7 is a diagram showing a method of converting the tag hierarchy of AndroidManifest.xml into a subtree.
Fig. 8 is a diagram showing that a subtree is converted to a string, and the name of an implicit intent component is added after a related node.
9 is a diagram showing a character string of an experimentally generated subtree.
10 is a view showing an example of a process and result of calculating a similarity by using a character string of an original app and a character string of a comparison app.
11 is a flowchart of a method of extracting feature information and comparing similarity of an Android app in consideration of obfuscation according to an embodiment of the present invention.

An apparatus and method for extracting feature information and comparing similarity of an Android app in consideration of obfuscation according to embodiments of the present invention will be described in detail with reference to the accompanying drawings. The present invention can be applied to various changes and may have various forms, and specific embodiments will be illustrated in the drawings and described in detail in the text. However, this is not intended to limit the present invention to a specific disclosure form, it should be understood to include all modifications, equivalents, or substitutes included in the spirit and scope of the present invention. In describing each drawing, similar reference numerals are used for similar components.

In addition, unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which the present invention belongs. Terms, such as those defined in a commonly used dictionary, should be interpreted as having meanings consistent with meanings in the context of related technologies, and should not be interpreted as ideal or excessively formal meanings unless explicitly defined in the present application. Does not.

The device for extracting feature information and comparing similarity of an Android app in consideration of obfuscation according to an embodiment of the present invention is installed and operated on one computer device, or is distributedly installed on a plurality of computer devices, and each computer device is connected to each other by wire or wirelessly. It can be implemented as being interlocked.

Referring to FIG. 2, an apparatus 100 for extracting feature information and comparing similarity of an Android app according to an embodiment of the present invention includes an intent filter for tag hierarchy and lower tags in AndroidManifest.xml of the original app and the comparison app. -filter) and a feature extractor 120 for extracting an intent component. In addition, it includes a comparison unit 160 for calculating a similarity by comparing the information of the original app and the comparison app extracted by the feature extraction unit 120 with the original app.

Both the comparison app and the original app applied to this embodiment include AndroidManifest.xml.

If you decompile the Android application, you can search AndroidManifest.xml. AndroidManifest.xml exists for each Android application because it is information that the Android system must have before executing the application. AndroidManifest.xml has a hierarchical structure of tags that declare the package name of the application, components of the application, permissions required by the application, hardware and software required by the application, etc.

AndroidManifest.xml has a set of contents that can be entered into a layer, and has a total of five layers. Contents included in each layer structure cannot be included in nodes of other layers. In the case of an intent-filter, start and end tags are specified on the fourth layer, and the content included in the intent filter is written on the fifth layer.

Referring to FIG. 3, the <activity> component has <intent-filter> as its lower tag (child tag). The parent tag of the <activity> component is the <application> tag, and in this case, the <intent-filter> represents an implicit intent. The <activity> component name is com.example.project.FreneticActivity, of which FreneticActivity represents the class name. In the description of this embodiment, a component including an intent filter in a lower tag is defined as an intent component.

In Android, an intent is a message with an arbitrary action, and can be broadcast to all applications or transmitted to a specific application. The application's activity component, service component, and broadcast receiver component are activated by the intent. When an application issues an intent to the system, the system specifies the application component to process the intent based on the intent filter declaration in each application's AndroidManifiest.xml. In other words, since intent is information used for communication between components or between applications, it is robust against obfuscation.

The original app is an application created by the first developer (original developer) or an open source application, and means an application in which a separate creator who holds intellectual property rights or copyright exists. Original apps include ready-made Android apps and open source software. Ready-made Android apps refer to existing applications that can be downloaded and installed by being posted online, such as in open markets. It is desirable that the open source software is open source in the Android environment. Open source is an open source code that anyone can access and read.

Comparison apps are applications suspected of infringing intellectual property rights or copyrights. Comparison apps include fake applications, pirated applications, and applications that violate the license and apply open source without permission.

Referring to FIG. 4, AndroidManifest.xml has tags hierarchically configured. Each tag represents one node from the perspective of a sub tree.

The tag may contain child tags, which include the characteristics or detailed description of the parent tag. From the perspective of the subtree, the lower tag can be viewed as a lower node located below the upper node. The lower tag has the characteristic that it is created by indenting the upper tag to provide identification.

As shown, if the code is obfuscated, the contents of AndroidManifest.xml may also be obfuscated. In this case, the code includes both source code and execution code.

FIG. 5 is characterized in that the functions of the original app and the comparison app are substantially the same, but the component name of the comparison app is obfuscated. Comparing the component name of the original app AndroidManifest.xml and the obfuscated comparison If the component name of the app AndroidManifest.xml is compared with the Longest Common Subsequence (LCS) algorithm without any processing, the similarity is only due to the obfuscated component name. It can be seen that only 11.11% comes out.

Referring to FIG. 6, as a result of exploring feature information that can become a busmark in obfuscated code, it was found that the overall hierarchy structure of AndroidManifest.xml and the name of the Intent component are not obfuscated. I did. The software bus mark refers to unique feature information that can identify software. The reason why the name of the intent component is not obfuscated is that the intent is information used to communicate between components or to communicate with other applications. In other words, if the intent is modified, the application may not run properly, so it is excluded from obfuscation. Accordingly, the feature extraction unit 120 of this embodiment extracts an intent component including an intent-filter in a lower tag from AndroidManifest.xml and uses it as feature information.

When parsing the intent component, the feature extractor 120 removes special characters such as periods, commas, and quotation marks, and extracts only the name of the class.

There are two types of intent components: explicit intent and implicit intent. An explicit intent means an intent in which the name of the component to be called is specified. For explicit intents, export="true" is specified at the end of the component tag. Implicit intent refers to an intent in which only the properties of the component to be called are listed and no specific component is specified.

The information extracted by the feature extractor 120 further includes a tag hierarchy of AndroidManifest.xml. The tag hierarchy refers to the structural characteristics of the upper tag and the lower tag included in the upper tag.

The feature extractor 120 extracts a tag hierarchy using features in which the relationship between the upper tag and the lower tag is expressed in indentation in AndroidManifest.xml. For example, a tag with no space at the tip is a first level tag, a tag with 2 spaces is a second level tag, a tag with 4 spaces is a third level tag, and a tag with 6 spaces is a fourth level The tag of and the tag with 8 spaces can be set as the fifth level tag. All the tags of the second level are located below the tags of the first level. The third level tag is located below the most recently disclosed second level tag.

Referring to FIG. 7, the tag hierarchy may be expressed in a sub tree structure. Each tag in the subtree constitutes a node. The first level tag is located on Level 1, and the second level tag is located on Level 2. In Level 3, the tag of the third level is located under the tag of the second level related.

The feature extractor 120 extracts the tag hierarchy from AndroidManifest.xml using a depth-first search (DFS) technique for the subtree.

Referring to FIG. 8, this embodiment further includes a conversion unit 140 for generating a string of an original app and a comparison app by using the feature of the tag hierarchy. The conversion unit 140 of this embodiment converted the first level tag (node) to 0BN, the second level tag to 2BN, and the third level tag to 4BN. For example, if the subtree disclosed in FIG. 8 is converted into a character string, it can be expressed as OBN2BN...2BN4BN6BN8BN6BN...4BN.

The conversion unit 140 adds the name of the intent component, that is, the Java class name, to a character position related to the intent component in the string of the tag hierarchy. For example, if one of the tags of the third level is an intent component, the name of the intent component is inserted between the string '4BN' representing the tag and the following string. AndroidManifest.xml of FIG. 7 includes'ArxivAppWidgetProvider' and'arXiv' as the names of intent components. The conversion unit 140 inserts'ArxivAppWidgetProvider' after the character corresponding to node A in the string, and inserts'arXiv' after the character corresponding to node B.

Referring to FIG. 9, when inserting the name of the intent component into a string, the conversion unit 140 converts the name of the intent component into a preset string length in order to prevent the length of the entire string from becoming irregular. .

The conversion unit 140 signs the name of the intent component with a hash function. The hash function can be one of MD5, SHA-1, SHA-2, and SHA-3. SHA-2 includes SHA-224, SHA-256, SHA-384, SHA-512, and more.

In the example of FIG. 9, the names of all intent components are converted into 65-character signatures using SHA-256.

Referring to FIG. 10, the comparison unit 160 compares the character string of the comparison app generated by the conversion unit 140 and the character string generated using the original app with a Longest Common Subsequence (LCS) algorithm. Calculate the similarity.

The longest common subsequence algorithm is calculated by dividing the length of the longest common string from the longest string length. The longest common subsequence algorithm does not detect the same character string even if the elements of two character strings are partially the same, if the order of the elements is not the same. At this time, the longest string length becomes the entire string of the original app, and the longest common string length becomes the longest string that is consecutively identical among the strings of the original app and the comparison app.

The comparison unit 160 compares only the hierarchical structure of tags that are not affected by obfuscation and the names of intent components that are not obfuscated, so that the comparison app including the original app is code obfuscated, renaming obfuscated, and control flow. Even if all obfuscation techniques including graph obfuscation and string obfuscation are applied, the similarity to the original app can be diagnosed very high.

Next, a method of extracting feature information of an Android app and comparing similarity in consideration of obfuscation according to an embodiment of the present invention will be described.

Referring to FIG. 11, in this embodiment, in this embodiment, the feature extractor 120 includes an intent including an intent-filter in a tag hierarchy and a lower tag in AndroidManifest.xml of the original app and the comparison app. A step of extracting a component (S120), and a step (S160) of comparing the information of the comparison app with the original app extracted by the feature extractor 120 by the comparison unit 160 (S160).

The feature extraction unit 120 uses a depth-first search (DFS) when extracting a tag hierarchy.

In addition, before step S160, the conversion unit 140 further includes a step (S142) of generating a string (String) of the original app and the comparison app by using the feature of the tag hierarchy.

The conversion unit 140 adds the name of the intent component to a character position related to the intent component in the string of the tag hierarchy (S144).

The conversion unit 140 converts the name of the intent component into a preset string length. For example, the name of the intent component can be signed with a hash function. At this time, the hash function may be one of MD5, SHA-1, SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512), and SHA-3.

In step S160, the comparison unit calculates a similarity by comparing the character string of the comparison app generated by the conversion unit and the character string generated using the original app using a Longest Common Subsequence (LCS) algorithm.

The method of this embodiment may further include features of the embodiment of the apparatus 100 for extracting feature information of an Android app and comparing similarity in consideration of obfuscation described above.

Although the preferred embodiments of the present invention have been described above, the present invention can use various changes, modifications, and equivalents. It is clear that the present invention can be equally applied by appropriately modifying the above embodiments. Therefore, the above description does not limit the scope of the present invention determined by the limits of the following claims.

100: Android app feature information extraction and similarity comparison device
120: feature extraction unit 140: conversion unit
160: comparison unit

Claims (16)

A feature extractor for extracting an intent component including an intent-filter in a tag hierarchy and a lower tag in AndroidManifest.xml of the original app and the comparison app; And
And a comparison unit for calculating a similarity by comparing the information of the original app extracted by the feature extraction unit and the comparison app. The method of claim 1,
The feature extracting unit extracts the tag hierarchy using a depth-first search (DFS). Feature information extraction and similarity comparison device for an Android app, characterized in that. The method of claim 1,
An apparatus for extracting feature information and comparing similarity of an Android app, further comprising a conversion unit for generating a string of the original app and the comparison app by using the tag hierarchy feature. The method of claim 3,
And the conversion unit adds a name of the intent component to a character position related to the intent component in the string of the tag hierarchy. According to claim 4,
The device for extracting feature information and comparing similarity of an Android app, wherein the conversion unit converts the name of the intent component into a preset string length. The method of claim 5,
The conversion unit signature (signature) the name of the intent component with a hash function, the feature information extraction and similarity comparison device of an Android app, characterized in that. The method of claim 6,
The hash function is one of MD5, SHA-1, SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512), and SHA-3 feature information extraction and similarity comparison of Android apps. Device. The method of claim 3,
The comparison unit calculates a similarity by comparing the character string of the comparison app generated by the conversion unit and the character string generated using the original app with a Longest Common Subsequence (LCS) algorithm. Feature information extraction and similarity comparison device. Extracting, by a feature extraction unit, an intent component including an intent-filter in a tag hierarchy and a lower tag from AndroidManifest.xml of the original app and the comparison app; And
And calculating a similarity by comparing the information of the original app and the comparison app extracted by the feature extracting unit by a comparison unit, and calculating a similarity. The method of claim 9,
The feature extracting unit extracts the tag hierarchy using a depth-first search (DFS). The method of claim 9, before the comparison unit calculating a similarity by comparing the information of the original app extracted from the feature extraction unit and the comparison app,
And generating, by a conversion unit, a string of the original app and the comparison app by using the feature of the tag hierarchy. The method of claim 11,
And the conversion unit adds a name of the intent component to a character position related to the intent component among the strings of the tag hierarchy. The method of claim 12,
The converting unit converts the name of the intent component into a preset string length, characterized in that the feature information extraction and similarity comparison method of an Android app. The method of claim 13,
The conversion unit signature (signature) the name of the intent component with a hash function, characterized in that the feature information extraction and similarity comparison method of an Android app. The method of claim 14,
The hash function is one of MD5, SHA-1, SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512), and SHA-3 feature information extraction and similarity comparison of Android apps. Way. The method of claim 10,
The comparison unit calculates a similarity by comparing the character string of the comparison app generated by the conversion unit and the character string generated using the original app with a Longest Common Subsequence (LCS) algorithm. Feature information extraction and similarity comparison method.

Images