Computer Science
Group Project
Team Formation. There is a self-exploratory group project in a team of 4 students. Considering more diversity leads to more productivity, we strongly encourage you to make as diverse groups as possible. The deadline to form your group is Friday, March 5, 23:59hrs NZDT by which one of the group members must send an email to the course coordinator (cc all of your group members). In your email, you should mention the discipline (e.g., Computer Science or Engineering) of each member. Next, you will receive a confirmation email with your group number, e.g., G1.
Project Description. The project consists of a development phase followed by a challenge phase. The aim of the development phase is to develop somewhat novel obfuscation technique, implement it, and then use it to obfuscate source code of your Android app (i.e., Java code). Each group is required to use two main forms of obfuscation including data obfuscation (i.e., hiding data) and control flow obfuscation (i.e., hiding business logic).
Development Phase. You must develop your app using Java. Size of your source code should be between 400 and 1000 lines. Your developed app should run smoothly on Android 4.0 (API level 15) and later versions. Your obfuscated app should be easy to install and bug free. There should be a clear separation between GUI and core business logic, where the latter one should be at least 50% of your app code. Your app should be somewhat novel/interesting.
You can use any language for implementing your obfuscation technique. There are two possibilities here: either extend any existing obfuscation tool to incorporate your proposed technique or implement a small utility from scratch. Source code of your obfuscation tool and app should be well commented.
The deadline to deliver your project code (including source code of app and obfuscation technique you implement), and obfuscated app along with a readme file (briefly explaining input, output, and a brief description of your app) is Friday, May 7 Monday, May 10 23:59hrs NZDT. To do your submission, send an email to the course coordinator (cc all of your group members). You should use your group number as file names and email subject. For instance, if your group number is G1, then your email subject should be “COMPSCI702-2021-G1: Development Phase”, G1.zip should include source code of your app, G1-tool.zip should include source code of your tool, G1.apk should be your obfuscated app, and G1.txt should be your readme file (for other groups).
Ideally, you should automate your obfuscation technique as much as possible. However, due to time constraints, if you are unable to automate it completely then you can do some manual obfuscation. Your report should clearly indicate the parts you manually obfuscate.
Challenge Phase. In the challenge phase, you have to identify the specific data and control flow obfuscation used in the code. The specific obfuscation technique you identify should be evidenced by an example from the obfuscated app, explaining in your group report how you recovered the original source code. At the end of the challenge phase, you should submit a report. This report should cover the development phase (including introduction, related work, your obfuscation idea, evaluation, and discussion) and the challenge phase explaining information about reverse engineering. The weight of app development is 4% of the course. The weight of rest of the development phase is 15% of the course and will be based on 100 marks in your report covering the introduction (10 marks: 1-1.5 page), related work (15 marks: 2 pages), proposed obfuscation idea (40 marks: 2-3 pages), evaluation (25 marks: 1 page), and discussion (10 marks: 1 page).
Final Report. The introduction in your report should have 5 paragraphs: one for the context, one for the problem, one for related work, one for the solution and one to highlight the novelty of your solution. Each aspect is worth 2 marks. Each aspect should be clear and convincing.
In related work, you should review 5 ‘strong’ research articles and 2 tools related to your idea. There should be one paragraph for each article/tool. In each paragraph, you should summarise the article/tool in your own words and should compare it with your proposed idea, justifying how your approach is different or better. In your related work, each research article is worth 2 marks and each tool is worth 2.5 marks. Each related work will be evaluated depending on comprehensiveness of your summary as well as your criticism and comparison.
In the proposed idea section, the core obfuscation idea along with technical details should be presented. The main technique should be clear. This section is worth 40 marks. You can get full marks in this section if your description is clear, if your idea is novel, and if your argumentation is convincing.
The evaluation section should cover strength of your proposed technique (i.e., your app versus its obfuscated version), performance overhead (i.e., execution time of your app versus its obfuscated version), and storage overhead (i.e., size of your app versus its obfuscated version). Each of these three aspects is worth 5 marks. Further, 10 marks are based on whether other groups managed to reverse engineer your obfuscated app or not.
The discussion section should describe limitations (3 marks) of your approach, possible extensions (3 marks), and debugging and updates (4 marks), i.e., how your obfuscated app could be debugged or updated.
The last section of your report should explain reverse engineering. The weight of the reverse engineering phase is 10% of the course. For each obfuscated app you are assigned, you should have at most 1 page explaining the obfuscation techniques used. For each technique you identify, you should give an example from the obfuscated code showing how you recovered the original source code.
The report should be submitted in PDF using the following format:
- Font type: Times New Roman
- Font size: 12
- Single column
- Single line spacing
- 1 inch margin
To submit your report, send an email to the course coordinator (cc all of your group members). You should use your group number as your file name and email subject. For instance, if your group number is G1, then your email subject should be “COMPSCI702-2021-G1: Report” and your report should be named as G1.pdf. The deadline to submit your report is: Monday, May 24, 23:59hrs NZDT.
Post-Challenge Presentation. After the challenge phase, there is also a group presentation, which should be based on the report you submit. The weight of your group presentation is 1% of the course and this mark will be given to each individual who gives the group presentation. Essentially, we expect each group member to be involved in delivery of the group presentation. After the group presentation, you should email your slides and contributions of each member to the course coordinator (cc all of your group members). You should use your group number as your file name and email subject. For instance, if your group number is G1, then your email subject should be “COMPSCI702-2021-G1: Presentation and Contributions” and your presentation should be named as G1-Presentation.
If the alert level (or any other condition) does not permit on campus activities, then project presentations can be conducted online. Like your seminar presentation, you can choose one option for your project presentations: pre-recorded (send 24 hours in advance) or live-streaming. Like your seminar, we can have a live-streaming session or play a pre-recorded video first and then we can have a live Q&A session. There is a flexible time limit for your group presentation varying from 15 to 20 minutes followed by at least a 10-minute Q&A session.
Contributions. As for contributions, we need percentage contribution as well as a list of tasks each group member was involved in. Ideally, each group member should have equal contribution. It is responsibility of each group member to actively contribute to the project. The project grade will be based on your contributions.
As a starting point, you can start with a set of tools available at the Mobile Security Wiki. As a next step, you are strongly encouraged to explore other tools that are not listed by this wiki.
-
Related Programmes