A Novel Reputation System for Mobile App Stores Using Blockchain
Total Page:16
File Type:pdf, Size:1020Kb
Repositório ISCTE-IUL Deposited in Repositório ISCTE-IUL: 2021-02-26 Deposited version: Accepted Version Peer-review status of attached file: Peer-reviewed Citation for published item: Mendes, G. S., Chen, D., Silva, B. M. C., Serrão, C. & Casal, J. (2021). A novel reputation system for mobile app stores using blockchain. Computer. 54 (2), 39-49 Further information on publisher's website: 10.1109/MC.2020.3016205 Publisher's copyright statement: This is the peer reviewed version of the following article: Mendes, G. S., Chen, D., Silva, B. M. C., Serrão, C. & Casal, J. (2021). A novel reputation system for mobile app stores using blockchain. Computer. 54 (2), 39-49, which has been published in final form at https://dx.doi.org/10.1109/MC.2020.3016205. This article may be used for non-commercial purposes in accordance with the Publisher's Terms and Conditions for self-archiving. Use policy Creative Commons CC BY 4.0 The full-text may be used and/or reproduced, and given to third parties in any format or medium, without prior permission or charge, for personal research or study, educational, or not-for-profit purposes provided that: • a full bibliographic reference is made to the original source • a link is made to the metadata record in the Repository • the full-text is not changed in any way The full-text must not be sold in any format or medium without the formal permission of the copyright holders. Serviços de Informação e Documentação, Instituto Universitário de Lisboa (ISCTE-IUL) Av. das Forças Armadas, Edifício II, 1649-026 Lisboa Portugal Phone: +(351) 217 903 024 | e-mail: [email protected] https://repositorio.iscte-iul.pt A Novel Reputation System for Mobile App Stores Using Blockchain Gonçalo Sousa Mendes Aptoide, S.A. Daniel Chen Aptoide, S.A. Bruno M. C. Silva Instituto de Telecomunicações,Universidade da Beira Interior; IADE, Universidade Europeia Carlos Serrão ISTAR - Information Sciences and Technologies and Architecture Research Center; ISCTE - Instituto Universitário de Lisboa João Casal Aptoide, S.A. Abstract—With thousands of mobile applications submitted to online application stores the mobile application market has experienced a significant growth. This growth is however accompanied by an increase in malware presence which is detected after infecting users or when a it is reported to the store. A possible solution would be to leverage those reports, across all mobile ecosystem, creating a shared reputation system, to provide more accurate feedback to the app stores quality assurance and security teams. To support this sharable reputation management system, we present a scalable blockchain-based solution, that provides the necessary scalability, data privacy and trust requirements, while being cost-effective. This paper also presents a real case study and respective results on performance, scalability, and cost evaluation. case study and respective results on performance, scalability, and cost evaluation. MOBILE APPLICATIONS economy is an ex- downloads in Google Play alone [1], with several panding market. In August 2019, Google Play other third-party app stores experiencing similar Store had almost 2.5 million apps in its repos- rates [2]. However, malware presence has also itories, Apple App Store had 1.8 million and increased [3], which exposes users to possible Aptoide with nearly 1 million, with 21.3 billion privacy breaches and loss of assets (e.g., baking 1 Trojans to steal login credentials [3]) as app stores them. Blockchains can be public, private, or a are struggling to keep up with such malware mixture of both. In public blockchains, everyone growth [2]. can join the network and participate. Every node Current centralized models of cybersecurity can mine the new block and rewarded by the is- verification and validation hardly fit the ever- suers of transactions inside that block. On private growing global mobile app economy size. Several blockchains, only one entity controls the network apps have obfuscated code, that hardens auto- and dictates who can join the network, read, and mated code analysis. Studying their behavior dur- write blocks. In this network, it is not necessary ing execution is not feasible due to its prohibitive to pay mining fees. In consortium blockchains, costs and high inefficiency. This shows how a the control of the network is shared among all centralized approach to cybersecurity may not be participant entities, where everyone can read and the only answer to fight mobile malware, where write, but joining requires the approval of all each app store has its own methods and do not members. As in private blockchains, there are no share the discovered threats. mining fees. A new approach to this problem is to re- A possible solution to tackle the mentioned late the multiple actions of millions of users problems consists in using a blockchain, in- and thousands of developers (reputation events), tegrated with a cloud system, to support the such as ratings, comments, or app uploads, to a blockchain with the necessary logic operations degree of trust, and use that found reputation in and provide an interface for the QA and security the cybersecurity processes, to provide trustwor- teams. thy and relevant decision support to the quality Aptoide, already considered one of the safest assurance [QA] and security teams. Moreover, Android app store [2] has nonetheless felt the such approach could benefit both the developers, need to improve its security by developing such as they could switch between different markets system. Here, millions of users, through the app while keeping their reputation, and consumers, stores installed on their smartphones, perform as it makes it easier for them to trust a new de- reputation events that are disseminated through veloper, which significantly increases the content the blockchain’s services. The app stores can then quality of all app stores, having a direct impact infer threats on its applications through those rep- in their revenue, a practice widely adopted on e- utations’ events, where the threats are removed, commerce platforms, such as Amazon or e-Bay, creating a mobile Cyber-Physical System (CPS) among several others [4], [5]. connecting millions of devices, with blockchain Building a consortium solution for several and cloud/interface services. competing app stores presents several problems This paper presents a cloud-based solution of performance, scalability, interoperability, data to manage reputation events, integrated with a security and trust between entities [6], [7], [8], consortium blockchain, to serve as a distributed [9]) trust between the app stores inside the con- ledger to store those events, as the support for the sortium; 2) scalability, interoperability and perfor- reputation system. This combination allows for mance to manage multiple actions of millions of the identification of compromised apps, through users and thousands of developers, where several a dedicated interface for the analysts, where the different app stores can contribute, and each one apps classified as threat by high reputation users has its own business model and rules; 3) data pri- are displayed first for review, providing and im- vacy, as the user’s data needs to be securely saved provement on the quality assurance to users and to comply with data regulations; 4) traceability, as mitigating the potential for privacy breaches and it is necessary to know the history of actions of data thefts, for all users of the app stores that the users; and 5) cost efficiency. wish to be in the consortium. This possibility Blockchain is a distributed ledger, in a peer- generates a global app economy, with increase to-peer network, with unique characteristics that security, trust and transparency, where each app can effectively solve security problems [6]. The store can control how the reputations are calcu- new blocks are validated through a consensus lated, allowing for a better fit on their business protocol, that also guarantees a total order of model. 2 The main contributions of this work are: The authors demonstrated how their proposed 1. Study and implementation of a cloud solu- architecture could make IoT more secure and tion integrated with a blockchain to manage and efficient. However, their blockchain is too tailored store millions of reputations events; to their specific problem, without providing clear 2. Implementation of a real case study to eval- implementation details, making it very difficult to uate the performance of the solution developed. translate it to other domains. From the obtained evaluation results, it was Ink Protocol [12] is a decentralized third- observed how the combination of a cloud solution party software to handle a payment system for with a blockchain could improve this type of e-commerce marketplaces. The goal is to in- system regarding data security, interoperability, crease trust, and therefore security, by evaluating and scalability, while being cost-effective. transactions between the sellers and buyers to The remainder of this paper is organized as create reputations scores. This is very close to our follows. Section 2 identifies some related work goal. However, they require cryptocurrency, so it and background to the system proposed in this is based on Ethereum, a public blockchain. As article. In Section 3 we present the system im- mentioned, this type of blockchain brings some plementation. Section 4 offers a real case study performance and data privacy issues, as well as setup to demonstrate the solution behavior. Fi- the necessary mining fees. nally, Section 5 presents the conclusions and Decentralized Science [13] is a blockchain- some suggestions for future work. based distributed platform for science publica- tions, together with a reputation system of peer 2. Related Work and Background reviewers. The platform is used to store the peer Some works have already integrated review process communications, where the smart blockchain in their reputation systems to contracts validate the system’s rules. This system overcome the problems mentioned above [10], is also based on Ethereum.