You Shall not Repackage! A Journey into the World of Anti-Repackaging on Android
App repackaging refers to the practice of customizing an existing mobile app and redistributing it in the wild. In this way, the attacker aims to force some mobile users to install the repackaged (likely malicious) app instead of the original one. This phenomenon strongly affects Android, where apps are available on public stores, and the only requirement for an app to execute properly is to be digitally signed. Anti-repackaging techniques try counteracting this attack by adding logical controls in the app at compile-time. Such controls activate in case of repackaging and lead the repackaged app to fail at runtime. On the other side, the attacker must detect and bypass the controls to repackage safely. The high-availability of working repackaged apps in the Android ecosystem suggests that the attacker's side is winning. In this respect, this paper aims at bringing out the main issues of the current approaches to anti-repackaging. More in detail, the contribution of the paper is three-fold: 1) analyze the weaknesses of the current state-of-the-art, 2) summarize the main attack vectors to anti-repackaging, 3) show how such attack vectors allow circumventing the current proposals. The paper will also show a full-fledged attack to the only publicly-available anti-repackaging tool to date.
READ FULL TEXT