A Large Scale Investigation of Obfuscation Use in Google Play

Android applications are frequently plagiarized or maliciously repackaged, and so‰ware obfuscation is a popular protection against these practices. In this study, we present the €rst comprehensive analysis of the use and challenges of so‰ware obfuscation in Android applications. We surveyed 308 Google Play developers about their experiences with obfuscation, €nding that the free ProGuard so‰ware is by far the most commonly used obfuscation tool. With this insight, we analyzed 1.7 million Android apps from Google Play, €nding that only 24.9% of apps are obfuscated by the primary developer. Œis is surprising, given that the most common integrated development environment for Android, Android Studio, includes ProGuard by default. We investigated root causes of this low rate of obfuscation in an in-depth study with 79 Google Play developers, assessing their experiences with obfuscation and asking them to obfuscate a sample app using ProGuard. We found that while developers feel that apps in general are at risk of malicious repackaging or plagiarism, they do not fear the‰ of their own intellectual property. Developers also report diculties applying obfuscation for their own apps, which was substantiated when they demonstrated problems with all but the most basic con€gurations to obfuscate our sample app. Our €ndings indicate that more work is needed to make the application of obfuscation more usable and to educate developers on the risk of their apps being reverse engineered, their intellectual property stolen and their apps being repackaged and redistributed as malware.