{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:09:20Z","timestamp":1750219760712,"version":"3.41.0"},"reference-count":40,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2023,6,30]],"date-time":"2023-06-30T00:00:00Z","timestamp":1688083200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2023,6,30]]},"abstract":"\n Analyzing Android applications is essential to review proprietary code and to understand malware behaviors. However, Android applications use obfuscation techniques to slow down this process. These obfuscation techniques are increasingly based on native code. In this article, we propose\n OATs\u2019inside<\/jats:italic>\n , a new analysis tool that focuses on high-level behaviors to circumvent native obfuscation techniques transparently. The targeted high-level behaviors are object-level behaviors, i.e., actions performed on Java objects (e.g., field accesses, method calls), regardless of whether these actions are performed using Java or native code. Our system uses a hybrid approach based on dynamic monitoring and trace-based symbolic execution to output control flow graphs (CFGs), 27 pages. for each method of the analyzed application. CFGs are composed of Java-like actions enriched with condition expressions and dataflows between actions, giving an understandable representation of any code, even those fully native.\n OATs\u2019inside<\/jats:italic>\n spares users the need to dive into low-level instructions, which are difficult to reverse engineer. We extensively compare\n OATs\u2019inside<\/jats:italic>\n functionalities against state-of-the-art tools to highlight the benefit when observing native operations. Our experiments are conducted on a real smartphone: We discuss the performance impact of\n OATs\u2019inside<\/jats:italic>\n , and we demonstrate its practical use on applications containing anti-debugging techniques provided by the OWASP foundation. We also evaluate the robustness of\n OATs\u2019inside<\/jats:italic>\n using obfuscated unit tests using the Tigress obfuscator.\n <\/jats:p>","DOI":"10.1145\/3584975","type":"journal-article","created":{"date-parts":[[2023,2,23]],"date-time":"2023-02-23T00:25:16Z","timestamp":1677111916000},"page":"1-27","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["OATs\u2019inside<\/i>\n : Retrieving Object Behaviors From Native-based Obfuscated Android Applications"],"prefix":"10.1145","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6126-3934","authenticated-orcid":false,"given":"Pierre","family":"Graux","sequence":"first","affiliation":[{"name":"Univ. Lille, CNRS, Centrale Lille, UMR 9189 CRIStAL, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4984-2199","authenticated-orcid":false,"given":"Jean-Fran\u00e7ois","family":"Lalande","sequence":"additional","affiliation":[{"name":"CentraleSup\u00e9lec, Inria, CNRS, University of Rennes, IRISA, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4838-2952","authenticated-orcid":false,"given":"Val\u00e9rie","family":"Viet Triem Tong","sequence":"additional","affiliation":[{"name":"CentraleSup\u00e9lec, Inria, CNRS, University of Rennes, IRISA, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9681-644X","authenticated-orcid":false,"given":"Pierre","family":"Wilke","sequence":"additional","affiliation":[{"name":"CentraleSup\u00e9lec, Inria, CNRS, University of Rennes, IRISA, France"}]}],"member":"320","published-online":{"date-parts":[[2023,8,10]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23384"},{"key":"e_1_3_2_3_2","unstructured":"Android. 2018. Dalvik Executable Format . Retrieved from https:\/\/source.android.com\/devices\/tech\/dalvik\/dex-format."},{"key":"e_1_3_2_4_2","unstructured":"Android. 2019. Dalvik Bytecode . Retrieved from https:\/\/source.android.com\/devices\/tech\/dalvik\/dalvik-bytecode."},{"key":"e_1_3_2_5_2","unstructured":"ARM. 2017. ARM Architecture Reference Manual: ARMv8 for ARMv8-A Architecture Profile ."},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2017.43"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1145\/3182657"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991114"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom\/BigDataSE.2018.00093"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/6041.6042"},{"key":"e_1_3_2_11_2","unstructured":"Christian Collberg Sam Martin Jonathan Myers Bill Zimmerman Petr Krajca Gabriel Kerneis Saumya Debray and Babak Yadegari. [n. d.]. The Tigress C Diversifier\/Obfuscator. Retrieved from https:\/\/tigress.wtf\/."},{"key":"e_1_3_2_12_2","volume-title":"Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection","author":"Collberg Christian","year":"2009","unstructured":"Christian Collberg and Jasvir Nagra. 2009. Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Number 1. Addison-Wesley Professional."},{"key":"e_1_3_2_13_2","first-page":"20","volume-title":"Proceedings of the International Workshop on Innovations in Mobile Privacy and Security Co-located with the International Symposium on Engineering Secure Software and Systems","author":"Costamagna Valerio","year":"2016","unstructured":"Valerio Costamagna and Cong Zheng. 2016. ARTDroid: A virtual-method hooking framework on android ART runtime. In Proceedings of the International Workshop on Innovations in Mobile Privacy and Security Co-located with the International Symposium on Engineering Secure Software and Systems. CEUR Workshop Proceedings, 20\u201328."},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23296"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/2619091"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW51379.2020.00089"},{"key":"e_1_3_2_17_2","first-page":"11","volume-title":"Proceedings of the Python in Science Conference","author":"Hagberg Aric","year":"2008","unstructured":"Aric Hagberg, Pieter Swart, and Daniel Chult. 2008. Exploring network structure, dynamics, and function using NetworkX. In Proceedings of the Python in Science Conference. 11\u201316."},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046780"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/IWCMC.2015.7289149"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-03638-6_4"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/MobServ.2016.39"},{"key":"e_1_3_2_22_2","article-title":"Understanding and managing polymorphic viruses","volume":"30","author":"Nachenberg Carey","year":"1996","unstructured":"Carey Nachenberg. 1996. Understanding and managing polymorphic viruses. The Symantec Enterprise Papers 30 (1996).","journal-title":"The Symantec Enterprise Papers"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/1250734.1250746"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/2592791.2592796"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2014.30"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3210240.3210321"},{"key":"e_1_3_2_27_2","volume-title":"Proceedings of the USENIX Workshop on Offensive Technologies","author":"Rolles Rolf","year":"2009","unstructured":"Rolf Rolles. 2009. Unpacking virtualization obfuscators. In Proceedings of the USENIX Workshop on Offensive Technologies. USENIX, Montreal, Canada."},{"key":"e_1_3_2_28_2","volume-title":"Proceedings of the Black Hat Asia","author":"Sabanal Paul","year":"2015","unstructured":"Paul Sabanal. 2015. Hiding behind ART. In Proceedings of the Black Hat Asia."},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"issue":"4","key":"e_1_3_2_30_2","article-title":"Evolution of processor architecture in mobile phones","volume":"90","author":"Singh Mahendra Pratap","year":"2014","unstructured":"Mahendra Pratap Singh and Manoj Kumar Jain. 2014. Evolution of processor architecture in mobile phones. Int. J. Comput. Appl. 90, 4 (March2014).","journal-title":"Int. J. Comput. Appl."},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/DASC\/PiCom\/DataCom\/CyberSciTec.2018.00104"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.46"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243835"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23118"},{"key":"e_1_3_2_35_2","first-page":"1247","volume-title":"Proceedings of the USENIX Security Symposium","author":"Wong Michelle Y.","year":"2018","unstructured":"Michelle Y. Wong and David Lie. 2018. Tackling runtime-based obfuscation in Android with TIRO. In Proceedings of the USENIX Security Symposium. USENIX, 1247\u20131262."},{"key":"e_1_3_2_36_2","article-title":"Freezing of Tasks","author":"Wysocki Rafael J.","year":"2007","unstructured":"Rafael J. Wysocki. 2007. Freezing of Tasks. Retrieved from https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/torvalds\/linux.git\/tree\/Documentation\/power\/freezing-of-tasks.txt?h=v3.10.","journal-title":"https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/torvalds\/linux.git\/tree\/Documentation\/power\/freezing-of-tasks.txt?h=v3.10"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.40"},{"key":"e_1_3_2_38_2","first-page":"289","volume-title":"Proceedings of the USENIX Security Symposium","author":"Xue Lei","year":"2017","unstructured":"Lei Xue, Yajin Zhou, Ting Chen, Xiapu Luo, and Guofei Gu. 2017. Malton: Towards on-device non-invasive mobile malware analysis for ART. In Proceedings of the USENIX Security Symposium. USENIX, 289\u2013306."},{"key":"e_1_3_2_39_2","first-page":"569","volume-title":"Proceedings of the USENIX Security Symposium","author":"Yan Lok-Kwong","year":"2012","unstructured":"Lok-Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis. In Proceedings of the USENIX Security Symposium. USENIX, 569\u2013584."},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26362-5_17"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-24177-7_15"}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3584975","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3584975","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:07Z","timestamp":1750178227000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3584975"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,6,30]]},"references-count":40,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2023,6,30]]}},"alternative-id":["10.1145\/3584975"],"URL":"https:\/\/doi.org\/10.1145\/3584975","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"type":"print","value":"2692-1626"},{"type":"electronic","value":"2576-5337"}],"subject":[],"published":{"date-parts":[[2023,6,30]]},"assertion":[{"value":"2022-04-23","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-01-26","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-08-10","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}