An Anti-Fuzzing Approach for Android Apps

Abstract

One of significant mobile app forensic analysis problems is the app evidence extraction from the device. Given the fact that mobile apps could generate more than 19K files in a device [6], simply manually inspecting every file is time consuming and may miss critical piece of evidence. A recent forensic analysis study [38] shows that fuzzing tools (a.k.a. fuzzer), which programmatically produce interactions with mobile apps, can be helpful when they are paired with sandbox environments for studying the app’s runtime forensic behaviors, by which forensic practitioners summarize the patterns of evidential data (such as GPS coordinates) that could greatly help with future forensic investigation. However, we found there is no study of how reliable do fuzzing tools help with improving the efficiency of mobile app forensic analysis.<br/> We, therefore, propose AFuzzShield, which aims at verifying the mobile app program coverage under the scenario when the app has the anti-fuzzing technologies applied. By analyzing the runtime information of mobile app interaction traces, it can prevent real-world apps from being exercised by fuzzers and minimizes the overhead of human usages. Our proposed approach exploits a statistical model to distinguish the difference between fuzzer and human patterns, and therefore it does not require graphical user interface (GUI) injections and is compatible with any real-world apps with touchable/clickable GUIs. We evaluate AFuzzShield on apps from AndroTest, a popular benchmark app dataset for testing various fuzzers, and the results demonstrate that, the mobile app program coverage can be significantly affected when it has anti-fuzzing technique, AFuzzShield, deployed, which results in missing mobile app evidential data patterns in the analysis (e.g. 70% of apps show promising results when having AFuzzShield applied under Monkey).