Blockchain-based public ecosystem for auditing security of software applications

Over the years, software applications have captured a big market ranging from smart devices (smartphones, smart wearable devices) to enterprise resource management including Enterprise Resource Planning, office applications, and the entertainment industry (video games and graphics design applications). Protecting the copyright of software applications and protection from malicious software (malware) have been topics of utmost interest for academia and industry for many years. The standard solutions use the software license key or rely on the Operating System (OS) protection mechanisms, such as Google Play Protect. However, some end users have broken these protections to bypass payments for applications that are not free. They have done so by downloading the software from an unauthorised website or by jailbreaking the OS protection mechanisms. As a result, they cannot determine whether the software they download is malicious or not. Further, if the software is uploaded to a third party platform by malicious users, the software developer has no way of knowing about it. In such cases, the authenticity or integrity of the software cannot be guaranteed. There is also a problem of information transparency among software platforms. In this study, we propose an architecture that is based on blockchain technology for providing data transparency, release traceability, and auditability. Our goal is to provide an open framework to allow users, software vendors, and security practitioners to monitor misbehaviour and assess software vulnerabilities for preventing malicious software downloads. Specifically, the proposed solution makes it possible to identify software developers who have gone rogue and are potentially developing malicious software. Furthermore, we introduce an incentive policy for encouraging security engineers, victims and software owners to participate in collaborative works. The outcomes will ensure the wide adoption of a software auditing ecosystem in software markets, specifically for some mobile device manufacturers that have been banned from using the open-source OS such as Android. Consequently, there is a demand for them to verify the application security without completely relying on the OS-specific security mechanisms.