Android application reinforcement means based on smali flow process obfuscationsTechnical field
It is the present invention relates to Android application reinforcement means more particularly to a kind of based on smali flow process obfuscationsAndroid application reinforcement means.
Background technology
In Internet era, with mobile intelligent terminal become increasingly popular and wideband high speed development, weLife be filled with the breath of internet almost everywhere.However, have the explorative terminal system with flexibility concurrently, and its in applicationPotential information security issue but may be impacted to links such as its user, bearer networks, particularly the reverse skill of softwareArt.Conversed analysis technology can be used to analyze the function flow of application program in the case where application source code is not knownJourney, data code of application program etc. is distorted, if conversed analysis technology is used by malice without restriction, user can divideAnalysis obtains the core technology of application program, it is also possible to distort the signature and author information of application program, can also be by malicious codeIt is injected in existing application program and is pretended by secondary packing, these behaviors all greatly compromises application program and openThe interests of originator, seriously compromise the personal secrets of users, or even threaten the national security and social stability, hinder its healthDevelopment.
In android system, the application program write using Java language is compiled into java class file (.classForm);Android will not directly run these .class files, but the class file of these .class forms is compiled againInto dex forms, Android platform is transferred to run.So dex files are the cores of application program, being can not in installation kitOr scarce part.It is easily Java source code by decompiling, if without Jing but dex files are substantially Java bytecodesCross and obscure process, readable Java source codes can easily be got by reverse-engineering, and then reach and steal Android application programCore logic code.
Code Obfuscation Security Technology is a kind of new technology for just developing in recent years and rising.For the first time system is carried out to Code obfuscationResearch, at the end of the nineties in last century, is that developing rapidly for Java language causes the research boom to obfuscation.This is because it is Java source code that Java object codes-syllabified code (bytecode) is easy to by decompiling, this just compels highly necessarySeek the method for being effectively protected syllabified code.Most of work in this field is by Collberg, Thomborson, LowMake with Chenxi Wang.
Collberg has carried out detailed summary and classification to obscuring conversion for the first time, also proposes first and obscures conversionSome evaluation criterions of validity and performance.He will obscure conversion and be divided into four classes:Profile obscures conversion, control and obscures conversion, numberAccording to obscuring conversion and preventative obscure conversion.
Chenxi Wang realize in the literature the several control on C language source code obscure conversion with data mixConfuse conversion.Wang give obscure conversion cause performance overload and obscure conversion to static analysis tools IBM NPICThe validity of tool and Rutger PAF toolkit.
Hohhl proposes to protect movement with black box (the time-limited black box) method with time restrictionAgent.Here black box is just referred to obscures converted Agent programs.Reverse-engineering is carried out to mobile Agent, is made intentionallyThe discovery or modification of justice needs the regular hour, accordingly, limits the time that mobile Agent runs on destination host.DistributingBefore mobile Agent, need that it is carried out to obscure conversion, the cost of reverse-engineering is which increased, so as to extend in purpose masterRun time on machine.
Cullen Linn have studied object-code obfuscation technology from another angle, by the analysis to dis-assembling process,Obscuring method using one kind can obstruct reverse-engineering so that the assembly instruction for obtaining program is extremely difficult or can not be correctly obtainedThe assembly instruction of program.
In sum, although work on hand proposes some and scrambles method of obscuring, but only increases the difficulty of reverse readingDegree, is unable to veritably solve the problems, such as to prevent reverse.
The content of the invention
In order to overcome the above-mentioned deficiencies of the prior art, the present invention provides a kind of based on smali flow process obfuscationsAndroid application reinforcement means, using AES, Dynamic loading technique, JNI (Java Native Interface, JavaLocal interface) programming technique, integrity checking techniques and Code Obfuscation Security Technology etc., by changing adding for Android application programsCurrent-carrying journey so that the application program after reinforcing is difficult to inversely, in addition, need to ensure to have no effect on normally holding for program after reinforcingOK;To reach protection copyright, prevent other people from plagiarizing the intellectual achievement in software or the autotelic purpose distorted is carried out to software.
The present invention provide technical scheme be:
A kind of Android applications reinforcement means, based on smali flow process obfuscations, compiles using encryption, dynamic load, JNIJourney, completeness check and Code obfuscation method, by the loading flow process for changing Android application source programs so that after reinforcingApplication program is difficult to inversely, while ensureing the normal execution that program is had no effect on after reinforcing;Comprise the steps:
1) it is literary with the real dex of AES encryption algorithm for encryption before dynamic load Android applies real dex filesPart, the dex file class.dex.jar after being encrypted;
2) so function libraries are write, following operation is performed;
21) decryption storehouse decrytApp.so is write using JNI, decryption function is write in dynamic link library, for decryptingDex files after the encryption;
22) bottom core logic storehouse Function.so is write using JNI, the core logic of program is write on into dynamic linkIn storehouse;
3) pseudo- smali files are write, completeness check for program and to the dex files after encryptionClass.dex.jar dynamic loads, thus reach the purpose of the loading flow process for obscuring source program, perform following operation:
31) integrity check of source program is carried out;
32) the real dex file class.dex.jar after dynamic load encryption;
Thus the reinforcing to Android applications is completed, the purpose of protection application program is reached.
For above-mentioned Android applications reinforcement means, further, step 1) the AES encryption algorithm by circulate intoRow encryption, including many wheel AES encryption circulations computing is iterated;In addition to last wheel, AES encryption circulation is often taken turns all comprising followingStep:
11) InvAddRoundKey, each byte in plaintext block does XOR with the second leg key;
12) byte replaces, the conversion of S boxes, and line replacement is entered to the byte in matrix with the mode of look-up table;
13) row displacement, by the row in matrix cyclic shift is carried out;
14) row are obscured, and to the row in matrix mixing transformation is carried out.
In an embodiment of the present invention, the key length of the AES encryption algorithm is set as 128, including 10 wheel iterationComputing.
For above-mentioned Android applications reinforcement means, further, step 2) specifically used Android NDK writeDecrytApp.so and Function.so, comprises the steps:
A) java files are write, the function in local file is stated;
B) newly-built decryptApp.c files, write decryption function;
C) JNI entrance functions are write;
D) Android.mk files are write;
E) compiling generates so storehouses, including decrytApp.so and Function.so.
For above-mentioned Android applications reinforcement means, further, step 21) decryption function is write with C or C++, will solveClose function is write in dynamic link library.
For above-mentioned Android applications reinforcement means, further, step 31) the integrality inspection for carrying out source programTest, specifically include following steps:
311) calculate the verification of Android application programs and sentry's function is added in the application program;
312) before the application program commencement of commercial operation, first start sentry's function, recalculate the verification of application programWith, and with verification before and contrasted;
313) when recalculate in 312) verified with 311) in verification with it is identical when, judgement obtains software and does not haveIt is tampered, continues to run with;When the two is different, judgement obtains software and is tampered, i.e., described Android is applied by secondary packing,Terminate operation.
Compared with prior art, the invention has the beneficial effects as follows:
The present invention provides a kind of Android application reinforcement means based on smali flow process obfuscations, calculates using encryptionMethod, Dynamic loading technique, JNI programming techniques, integrity checking techniques and Code Obfuscation Security Technology etc., by changing adding for source programCurrent-carrying journey so that the application program after reinforcing is difficult to inversely, in addition, need to ensure to have no effect on normally holding for program after reinforcingOK;To reach protection copyright, prevent other people from plagiarizing the intellectual achievement in software or the autotelic purpose distorted is carried out to software.Therefore, the technical scheme for being provided using the present invention, effectively can carry out copyright protection to Android application program, prevent it inverseTo or distort.
Description of the drawings
Fig. 1 is the FB(flow block) of the Android application reinforcement means that the present invention is provided.
Fig. 2 is the FB(flow block) of integrity check in the embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawings, the present invention is further described by embodiment, but limits the model of the present invention never in any formEnclose.
The present invention provides a kind of Android application reinforcement means based on smali flow process obfuscations, calculates using encryptionMethod, Dynamic loading technique, JNI programming techniques, integrity checking techniques and Code Obfuscation Security Technology etc., by changing adding for source programCurrent-carrying journey so that the application program after reinforcing is difficult to inversely, in addition, need to ensure to have no effect on normally holding for program after reinforcingOK;To reach protection copyright, prevent other people from plagiarizing the intellectual achievement in software or the autotelic purpose distorted is carried out to software.
As shown in figure 1, class.dex files are real dex files, for realizing the major function of program, it is encrypted toClass.dex.jar files.Function.so core libraries are dynamic link libraries, and for program bottom core logic functions are provided;DecrytApp.so is mainly used in realizing the decryption to class.dex.jar.
The inventive method writes pseudo- smali files, and compiling generates puppet dex files, the completeness check of main responsible programWith to class.dex.jar dynamic loads.If program is not tampered with, after decryption is loaded by the way of dynamic loadDex files, can not otherwise load dex files.
The overall flow of the present invention is as shown in figure 1, comprise the steps:
1) before the real dex files of dynamic load, with classical AES AES (Advanced EncryptionStandard, Advanced Encryption Standard) algorithm for encryption dex file, the dex files after being encrypted;
AES encryption algorithm is encrypted by circulation, including many wheel AES encryption circulations.In addition to last wheel, AES is often taken turnsEncryption cycle all includes following four step:
11) InvAddRoundKey (AddRoundKey), each byte in matrix does XOR with current round key;
12) byte replaces (SubBytes), the method converted by S boxes, with the mode of look-up table to the byte in matrixEnter line replacement;
13) row displacement (ShiftRow), by the row in matrix cyclic shift is carried out;
14) row obscure (MixColumns), and to the row in matrix mixing transformation is carried out.
Therefore, when aes algorithm is realized, four steps above can respectively be corresponded to abstract four functions:AddRoundKey (state), SubBytes (state), ShiftRow (state) and MixColumns (state), whereinState is matrix.
2) so function libraries are write, following operation is performed:
Java applet can generate Java bytecode through compiling.And Java bytecode is easy to by reverse-engineering, although canTo increase reverse difficulty using Code Obfuscation Security Technology, but, mixed latent technology can not thoroughly prevent reverse-engineering.Therefore we canWith using prior code in C/C++ codings, using its difficulty by it is reverse the characteristics of reaching the mesh of defence program source code's.In addition, the code write using C/C++ does not need the explanation operation of Dalvik virtual machine, imitates with higher operationRate, can perform speed of service during complex task with faster procedure.Therefore, the present invention adopts the bottom chain of C/C++ codingsStorehouse is connect, and these bottom dynamic link libraries are called in upper layer identification code using JNI technologies.
21. using JNI write decryption storehouse decrytApp.so, for decrypt it is encrypted after dex files;
The function that dass.dex.jar is decrypted is write with C/C++ in the present invention, is finally compiled intodecrytApp.so.Why decryption function is write in dynamic link library, be because if directly write on decryption logicIn Java files, attacker can obtain decrypted code by decompiling, the method so as to obtain decryption.
22. write bottom core logic storehouse Function.so using JNI;
It is the bottom core code of application program in Function.so storehouses, is the key point of whole application program.By journeyThe core logic of sequence is write in dynamic link library, and important algorithm, core technology etc. can be protected not to be stolen by reverse-engineeringTake.Therefore, in Scheme of Strengthening of the present invention, the logic of core is write in Function.so, defends decompiling.
3) pseudo- smali files are write, pseudo- smali is mainly responsible for the completeness check of program and class.dex.jar is movedState is loaded, and reaches the purpose of the loading flow process for obscuring source program, performs following operation:
31. integrity checks for carrying out source program, concrete steps such as Fig. 2;
Completeness check is a kind of technology for preventing software to be tampered.Main mechanism is exactly the school of calculated in advance application programTest and, then in a program add sentry's function, before program commencement of commercial operation, first start sentry's function, recalculate applicationThe verification of program and, and with verification before and contrasted.If both are the same, it are judged as software and are not tampered with, continuesOperation;If different, it be considered as software and be tampered, operation is terminated immediately.
Whether completeness check can well detect Android applications by secondary packing.Any apk files, even onlyIt is to be distorted by a bit, the verification calculated and all can be different.Hence with completeness check, application can be effectively preventedIt is inserted into the attack meanses such as malicious code, product placement.
32. dynamic loads class.dex.jar;
The body code of program is all in real dex files, and this dex file is needed when not being program startupThe file to be run, it is possible to be encrypted to it, generates class.dex.jar, then dynamically loads againclass.dex.jar.File through encrypting has very high security, if attacker does not have key, it is difficult to crackFile.So, attacker directly cannot pass through the code encrypted by conversed analysis, so as to reach the purpose of protection application program.
Below by example, the present invention will be further described.
Embodiment:
Aes algorithm:
The key length of aes algorithm is very flexible, can be any one in 128,192 and 256.Different is closeThe computing wheel number of the different AES of key length correspondence, usual 128 keys need computing 10 to take turns, and 192 need computing 12 to take turns,256 need computing 14 to take turns.General wheel number is more, and the difficulty being cracked is also bigger, but the time of computing is also longer.ConsiderThe present invention is to be based on Android platform, and its internal memory and disposal ability are all extremely limited, therefore key length should not select long.And at the beginning of aes algorithm is established, 6 wheel interative computations just can resist at that time known all attacks in the world.Therefore in the present inventionIn, the key length of aes algorithm is set as 128.
Aes algorithm needs to take turns interative computations through 10 altogether, and often takes turns computing and be all made up of four steps, therefore can be withAs follows the process of enciphering/deciphering is realized that code is as follows with C language code.
(1) encrypt
(2) decrypt
Android system supports NDK (Native Development Kit, Android primary development kit) programmings, thisJNI programming techniques write on decryption function in dynamic link library decryptApp.so used in invention, when program is runWait, dynamic decryption is carried out to dex files.The efficiency of decryption can be so improved, and the characteristic of C language can be utilized, it is ensured that decryptionThe safety of process.
So function libraries:
We are as follows using the general procedure that Android NDK develop decrytApp.so and Function.so:
1. write java files, state the function in local file (by taking decrytApp.so storehouses as an example)
System.loadLibrary(“decryApp”);// loading dynamic link library decrytApp.so
native boolean jnicheckApp();// statement primary the function corresponding with decrytApp.c
2. newly-built decryptApp.c files, write decryption function
Such as minor function is stated hereof, and the effect of function is decryption class.dex.jar, according in android systemThe rule that JNI is called, function name needs corresponding with the function name in Java files:JNIEXPORT jboolean NICALLJava_com_bupt_testjni_decrytAppJnicheckApp (JNIENV*env, jobject this) { };
3. JNI entrance functions are write
JNI-OnLoad () and JNI_OnUnLoad () function are the entrance functions of dynamic link library, when Dalvik it is virtualWhen machine goes to System.loadLibrary () function, the entrance function in C files can be first carried out, it can tellWhich JNI version Dalvik virtual machine uses, if without entrance function in dynamic link library, virtual machine can be given tacit consent to using mostOld JNI1.1 versions.And we are also required to carry out some some initialized operations in entrance function.JNI—OnLoadThe compiling form of function is as follows:
4. Android.mk files are write
Android.mk files describe the local source of engineering to NDK compiling systems, mainly transmit following several parameters:
LOCAL_PATH:=$ (call my-dir)/project//engineered paths
LOCAL_SRC_FILES:The title of=decrytApp.c//local C files
LOCAL_MODULE:The title of=decrytApp//dynamic link library to be compiled
5. compiling generates so storehouses
Ndk compilation scripts under operation engineering catalogue, compile local C/C++ codes.Compilation script " ndk-build " fileUnder the root of NDK files, specified path is needed when operation.After the completion of operation, will be under the libs catalogues of engineeringGenerate decrytApp.so storehouses.
6. compiling packing application
Most after image compiling common applications are the same, with the instrument compiling engineering in SDK.SDK compilation tools will be soStorehouse is packed in the apk files of application program, then just can normally run application program.
By the way of NDK programmings, important code can be stored in C/C++ dynamic link libraries, then in Java generationsSo storehouses of bottom are called in code using JNI technologies.The function of applying so can be both realized, can prevent to be compiled using Java language againThe code write, easily by reverse hidden danger, is a kind of software protection measure of break-in.In addition, important code is write so storehousesIn, moreover it is possible to increase the reusability of code, in other application, ready-made so storehouses can be introduced directly into, eliminate secondary Jian next timeThe trouble sent out.
Completeness check:
The application signature mechanism provided in android system, is substantially exactly a kind of completeness check.And, AndroidSystem specifies that all applications being installed in Android device all have to pass through signature.Therefore, we can be signed using applicationName mechanism is realizing the function of completeness check.
Digital signature needs a digital certificate, but this digital certificate and need not be authoritative digital certificate signature mechanismCertification, it is used only to allow application package self identity, therefore the signature instrument that can be carried using Android SDKKeytool and signapk is application signature.Digital certificate is used for the author of identification application and is being answered by AndroidWith setting up trusting relationship between program.The private steel of digital certificate is stored in the hand of program Jian originator, and public key is beaten with applicationWrap in apk.
In view of digital certificate is developer oneself generate, therefore, the identity of software publishing person can only be held by oneself, beUniquely.If other people keys without developer, it is impossible to produce the digital certificate as developer.Therefore, developThe method that person can in a program add detection publisher identity, before program is really run, the publisher of proving program, such asFruit meets, then continue to run with;If do not met, program is out of service.
Using the integrity checking techniques of contrast publisher identity, the step of whether an application is tampered such as Fig. 2 judgedIt is shown:
1) signature of application program is obtained
Android provides the method for obtaining application signature information, by calling PackageManager'sGetPackageInfo (packageName, PackageManager.GET_SIGNATURES) method, it is possible to be appliedSigning messages.Core code is as follows:
Packagelnfo pinfo=this.getPackageManager () .getPackageInfo(packageName, PackageManager.GET_SIGNATURES);
Signature [] s=pInfo.signatures;
Signature sign=signs [0];
What is stored in sign is exactly the signing messages of application program.
2) information of the publisher of the signing certificate of application is obtained;
Using author can be application signature when issue is applied, all.Signature certificate used is author locally withKeytool is generated, therefore the publisher of certificate is author.If program is by secondary packing, through recompilating, then kCertificate used by secondary signature is exactly the certificate of attacker, and the publisher of certificate has reformed into attacker.Therefore we can pass throughWhether the relatively publisher of certificate is judging using by secondary packing.
So we need the publisher for obtaining certificate, core code is as follows:
CertificateFactory certFactory=CertificateFactory.getInstance ("X.509");
X509Certificate cert=(X509Certificate)certFactory.generateCertificate(new
ByteArrayInputStreain(sign.toByteArray());
String Issuer=cert.getIssuerDN () .toString ();
Issuer is exactly the publisher of digital certificate.
3) information of the publisher of the original certificate of application is obtained, the information of Liang Ge publishers is contrasted, whether application is judgedBy secondary packing;
We can preserve the issuer information of original certificate hereof in the form of character string.But so existPotential safety hazard, " may be found " by attacker, so as to be modified to the information of attacker oneself construction.Therefore, we are from clothesBusiness end obtains in real time the issuer information of original certificate, or the issuer information of original certificate is encrypted, and ciphertext is stored inLocally, when contrast is needed, first it is decrypted.
The information of contrast Liang Ge publishers, publisher and the official of the certificate carried according to current application obtain publisherWhether comparative result, judge using by secondary packing.If both are different, judge that current application is changed, sentryFunction can just stop the operation of program.
Dynamic load dex file, obtains class therein:
Dalvik virtual machine is different from the Java Virtual Machine of standard, and standard Java virtual machine operation is Java bytecode,And the Dalvik bytecodes through conversion of Dalvik virtual machine operation, the i.e. file of .dex forms.It is thus impossible to as standardJava Virtual Machine like that, directly realizes the dynamic load of class by the ClassLoader in Java.Dalvik virtual machine passes throughTwo classes of DexClassLoader and PathClassLoader realize the dynamic load of class.
Dynamic load realize process approximately as:
1) the dex files to be loaded into through encrypting are taken.Dex files can be stored in SD card, it is also possible to from serviceEnd is downloaded, can be with the packing in the form of resource file in the application.
2) pseudo-program is run, process is decrypted to dex files.
3) the dex files for program after the decryption of DexClassLoader dynamic loads.
4) by Java reflex mechanisms, the example of class is obtained.
The example code of dynamic loading type is as follows:
(1) dynamic load code
(2) calls tool class is reflected
By above step, program operationally dynamic load dex file is achieved that, and obtains class therein, enteredAnd the body code of configuration processor.
It should be noted that the purpose for publicizing and implementing example is help further understands the present invention, but the skill of this areaArt personnel be appreciated that:In without departing from the present invention and spirit and scope of the appended claims, various substitutions and modifications are allIt is possible.Therefore, the present invention should not be limited to embodiment disclosure of that, and the scope of protection of present invention is with claimThe scope that book is defined is defined.