An Empirical Study of Code Obfuscation Practices in the Google Play Store

TL;DR

This large-scale study analyzes over 500,000 Android apps from Google Play over eight years, revealing trends and techniques in code obfuscation, with implications for security and development practices.

Contribution

It introduces classifiers for detecting obfuscation and provides the first extensive analysis of obfuscation trends in Google Play apps over time.

Findings

Obfuscation increased by 13% from 2016 to 2023.

ProGuard and Allatori are the most common obfuscation tools.

Obfuscation is more prevalent in top-ranked and gaming apps.

Abstract

The Android ecosystem is vulnerable to issues such as app repackaging, counterfeiting, and piracy, threatening both developers and users. To mitigate these risks, developers often employ code obfuscation techniques. However, while effective in protecting legitimate applications, obfuscation also hinders security investigations as it is often exploited for malicious purposes. As such, it is important to understand code obfuscation practices in Android apps. In this paper, we analyze over 500,000 Android APKs from Google Play, spanning an eight-year period, to investigate the evolution and prevalence of code obfuscation techniques. First, we propose a set of classifiers to detect obfuscated code, tools, and techniques and then conduct a longitudinal analysis to identify trends. Our results show a 13% increase in obfuscation from 2016 to 2023, with ProGuard and Allatori as the most commonly used tools. We also show that obfuscation is more prevalent in top-ranked apps and gaming genres such as Casino apps. To our knowledge, this is the first large-scale study of obfuscation adoption in the Google Play Store, providing insights for developers and security analysts.