CISPA
Browse
s10664-022-10281-9 (1).pdf (812.84 kB)

Android decompiler performance on benign and malicious apps: an empirical study

Download (812.84 kB)
journal contribution
posted on 2024-04-03, 12:56 authored by Ulf Kargén, Noah MautheNoah Mauthe, Nahid Shahmehri
Decompilers are indispensable tools in Android malware analysis and app security auditing. Numerous academic works also employ an Android decompiler as the first step in a program analysis pipeline. In such settings, decompilation is frequently regarded as a “solved” problem, in that it is simply expected that source code can be accurately recovered from an app. On the other hand, it is known that, e.g, obfuscation can negatively impact a decompiler’s effectiveness. Therefore, in order to better understand potential failure modes of, e.g., automated analysis pipelines involving decompilation, it is important to characterize the performance of decompilers on both benign and malicious apps. To this end, we have performed what is, to the best of our knowledge, the first large-scale study of Android decompilation failure rates, using three sets of apps; namely, 3,018 open-source apps, 13,601 apps crawled from Google Play, and an existing collection of 24,553 malware samples. In addition to the state-of-the-art Dalvik bytecode decompiler Jadx, we also studied the performance of three popular Java decompilers. Furthermore, this paper also presents the findings from a follow-up study on 54,945 malware apps, where we additionally performed an analysis of the reasons for decompilation failures. Our study revealed that decompilers generally have very low failure rates, and that few failures on benign apps appear to be related to obfuscation. On malware, however, obfuscation appears to be a more prominent cause of failures, although the vast majority of malicious apps could still be fully decompiled by an ensemble of decompilers.

History

Primary Research Area

  • Secure Connected and Mobile Systems

Journal

Empirical Software Engineering

Volume

28

Page Range

48-48

Publisher

Springer Nature

Open Access Type

  • Hybrid

Sub Type

  • Article

BibTeX

@article{Kargén:Mauthe:Shahmehri:2023, title = "Android decompiler performance on benign and malicious apps: an empirical study", author = "Kargén, Ulf" AND "Mauthe, Noah" AND "Shahmehri, Nahid", year = 2023, month = 2, journal = "Empirical Software Engineering", number = "2", pages = "48--48", publisher = "Springer Nature", issn = "1382-3256", doi = "10.1007/s10664-022-10281-9" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC