Detection of Reverse Engineering Activities Before the Attack

In typical cybersecurity scenarios, one aims at detecting attacks after the fact: in this work, we aim at applying an active defence, by detecting activities of attackers trying to analyse and reverse engineer the code of an Android app, before they will be able to perform an attack by tampering with the application code. We instrumented an app to collect various runtime data before and after deployment, in normal behaviour and under malicious analysis. We introduce the concept of partial execution paths as subsets of a program trace suddenly interrupted, as possible indicators of debugging activities. Such clues, along with system calls sequences and delays between them, stack information, and sensors data, are all data that are collected to help our system in deciding whether our app is under analysis and its device has to be considered compromised.