A Large Scale Investigation of Obfuscation Use in Google Play
Android applications are frequently plagiarized or maliciously repackaged, and software obfuscation is a popular protection against these practices. In this study, we present the first comprehensive analysis of the use and challenges of software obfuscation in Android applications. We surveyed 308 Google Play developers about their experiences with obfuscation, finding that the free ProGuard software is by far the most commonly used obfuscation tool. With this insight, we analyzed 1.7 million Android apps from Google Play, finding that only 24.9 is surprising, given that the most common integrated development environment for Android, Android Studio, includes ProGuard by default. We investigated root causes of this low rate of obfuscation in an in-depth study with 79 Google Play developers, assessing their experiences with obfuscation and asking them to obfuscate a sample app using ProGuard. We found that while developers feel that apps in general are at risk of malicious repackaging or plagiarism, they do not fear theft of their own intellectual property. Developers also report difficulties applying obfuscation for their own apps, which was substantiated when they demonstrated problems with all but the most basic configurations to obfuscate our sample app. Our findings indicate that more work is needed to make the application of obfuscation more usable and to educate developers on the risk of their apps being reverse engineered, their intellectual property stolen and their apps being repackaged and redistributed as malware.
READ FULL TEXT