14-829: Mobile and IoT Security

14-829 / 18-638: Mobile and IoT Security - Fall 2021



Lab 4: Exploring Android App Protections

Due: Oct 1

Description: As a continuation of understanding the app security landscape in the role of the security analyst, your task in this assignment is to study mechanisms that developer use to protect their Android app code and resources. This lab will expand upon the previous lab by asking you to additionally study the ways that developers leverage code obfuscation and other app protection tools as well as to gain hands-on experience with their counter-part analysis tools.

Tasks:
  1. Identify and collect suitable apps to analyze - Identify at least two (2) mobile apps that were excluded from your initial security analysis in Lab 3 due to their use of obfuscation, packing, or other protection mechanisms. Make sure that the apps include interesting and potentially sensitive functionality, and again please choose apps that have reasonable install numbers.
  2. Try to analyze your protected apps - Use any available deobfuscation and unpacking tools to try to recover source code and other .apk resources. It's not necessary this time to continue on to further analyze the application code, as the goal here is simply to recover the hidden content. However, feel free to further analyze the apps if you desire.


Deliverables and Submission: Prepare a written summary of your efforts and responses for the above tasks. The summary report should include:
  • A brief description of each app you studied, how you determined what protections were in place, and what tools you used to attempt to recover source code and resources.
  • A detailed description of your results, including what you were able to recover and any other interesting findings.
  • Suitable images or other artifacts to demonstrate that you accomplished the goals of each task. Beyond screenshots of tools, this would include a summary of tool outputs and any approaches that were unsuccessful.
This summary should be formatted in an easy-to-read way, using font size 10 or greater, and submitted as a .pdf document.

Grading: This lab is worth 10 points, with 2 points allocated to the description of your app collection and analysis efforts, 6 points for describing and illustrating your findings, and 2 points for demonstrating use and output of relevant analysis tools. We reserve the right to take off points for unreadable reports, poor writing, missing details, inappropriate content, etc.