Bradley Reaves scite author profile

Android applications are frequently plagiarized or repackaged, and software obfuscation is a recommended protection against these practices. However, there is very little data on the overall rates of app obfuscation, the techniques used, or factors that lead to developers to choose to obfuscate their apps. In this paper, we present the first comprehensive analysis of the use of and challenges to software obfuscation in Android applications. We analyzed 1.7 million free Android apps from Google Play to detect various obfuscation techniques, finding that only 24.92% of apps are obfuscated by the developer. To better understand this rate of obfuscation, we surveyed 308 Google Play developers about their experiences and attitudes about obfuscation. We found that while developers feel that apps in general are at risk of plagiarism, they do not fear theft of their own apps. Developers also self-report difficulties applying obfuscation for their own apps. To better understand this, we conducted a follow-up study where the vast majority of 70 participants failed to obfuscate a realistic sample app even while many mistakenly believed they had been successful. Our findings show that more work is needed to make obfuscation tools more usable, to educate developers on the risk of their apps being reverse engineered, their intellectual property stolen, their apps being repackaged and redistributed as malware and to improve the health of the overall Android ecosystem.

show abstract

Mo(bile) Money, Mo(bile) Problems

Reaves

Bowers

Scaife

et al. 2017

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

Mobile money, also known as branchless banking, leverages ubiquitous cellular networks to bring much-needed financial services to the unbanked in the developing world. These services are often deployed as smartphone apps, and although marketed as secure, these applications are often not regulated as strictly as traditional banks, leaving doubt about the truth of such claims. In this article, we evaluate these claims and perform the first in-depth measurement analysis of branchless banking applications. We first perform an automated analysis of all 46 known Android mobile money apps across the 246 known mobile money providers from 2015. We then perform a comprehensive manual teardown of the registration, login, and transaction procedures of a diverse 15% of these apps. We uncover pervasive vulnerabilities spanning botched certification validation, do-it-yourself cryptography, and other forms of information leakage that allow an attacker to impersonate legitimate users, modify transactions, and steal financial records. These findings show that the majority of these apps fail to provide the protections needed by financial services. In an expanded re-evaluation one year later, we find that these systems have only marginally improved their security. Additionally, we document our experiences working in this sector for future researchers and provide recommendations to improve the security of this critical ecosystem. Finally, through inspection of providers’ terms of service, we also discover that liability for these problems unfairly rests on the shoulders of the customer, threatening to erode trust in branchless banking and hinder efforts for global financial inclusion.

show abstract

Engineering future cyber-physical energy systems: Challenges, research needs, and roadmap

Morris

Srivastava

Reaves

et al. 2009

View full text Add to dashboard Cite

How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories

Meli

McNiece

Reaves

2019

View full text Add to dashboard Cite

GitHub and similar platforms have made public collaborative development of software commonplace. However, a problem arises when this public code must manage authentication secrets, such as API keys or cryptographic secrets. These secrets must be kept private for security, yet common development practices like adding these secrets to code make accidental leakage frequent. In this paper, we present the first large-scale and longitudinal analysis of secret leakage on GitHub. We examine billions of files collected using two complementary approaches: a nearly six-month scan of real-time public GitHub commits and a public snapshot covering 13% of open-source repositories. We focus on private key files and 11 high-impact platforms with distinctive API key formats. This focus allows us to develop conservative detection techniques that we manually and automatically evaluate to ensure accurate results. We find that not only is secret leakage pervasive-affecting over 100,000 repositories-but that thousands of new, unique secrets are leaked every day. We also use our data to explore possible root causes of leakage and to evaluate potential mitigation strategies. This work shows that secret leakage on public repository platforms is rampant and far from a solved problem, placing developers and services at persistent risk of compromise and abuse.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Bradley Reaves

A control system testbed to validate critical infrastructure protection concepts

A Large Scale Investigation of Obfuscation Use in Google Play

Mo(bile) Money, Mo(bile) Problems

Engineering future cyber-physical energy systems: Challenges, research needs, and roadmap

How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories

Contact Info

Product

Resources

About