System techniques for reverse engineering mobile applications

Reversing mobile application has become a complicated and time-consuming task since various anti-reverse engineering techniques (e.g., packing, anti-debugging, anti-emulator, obfuscation, etc.) employed by latest mobile applications make current reverse engineering techniques ineffective. Many approaches have been used, such as machine learning, dynamic instrumentation, etc. However, little has been done from a systems perspective to provide effective, robust and efficient solutions. The arms race between reverse engineering and anti-reverse engineering has brought new challenges to the design of modern mobile security analysis. This dissertation focuses on the systems aspect of the challenges that reverse engineering researchers face in designing various reversing approaches. Designing a system that collecting, organizing, and evaluating facts about a mobile application and the environment in which it operates is an effective way for automating reverse engineering analysis and fight against anti-reverse engineering techniques on mobile platforms.We designed a textit{virtual machine instrumentation system}, an automatic analysis platform that provides a comprehensive view of packed Android applications behavior by conducting multi-level monitoring and information flow tracking. This system is capable of identifying packed Android applications, extracting hidden code during the execution and performing unpacking process for packed Android Applications. We designed textit{MobileFindr}, an on-device trace-based function similarity identification system for iOS platform. textit{MobileFindr} runs on real mobile devices and mitigates many prevalent anti-reversing techniques by extracting function execution behaviors via dynamic instrumentation, then characterizing functions with collected behaviors and performing function matching via distance calculation. We have evaluated textit{MobileFindr} using real-world top-ranked mobile frameworks and applications. The experimental results showed that textit{MobileFindr} outperforms existing state-of-the-art tools in terms of better obfuscation resilience and accuracy.