Over the years, software applications have captured a big market ranging from smart devices (smartphones, smart wearable devices) to enterprise resource management including Enterprise Resource Planning, office applications, and the entertainment industry (video games and graphics design applications). Protecting the copyright of software applications and protection from malicious software (malware) have been topics of utmost interest for academia and industry for many years. The standard solutions use the software license key or rely on the Operating System (OS) protection mechanisms, such as Google Play Protect. However, some end users have broken these protections to bypass payments for applications that are not free. They have done so by downloading the software from an unauthorised website or by jailbreaking the OS protection mechanisms. As a result, they cannot determine whether the software they download is malicious or not. Further, if the software is uploaded to a third party platform by malicious users, the software developer has no way of knowing about it. In such cases, the authenticity or integrity of the software cannot be guaranteed. There is also a problem of information transparency among software platforms. In this study, we propose an architecture that is based on blockchain technology for providing data transparency, release traceability, and auditability. Our goal is to provide an open framework to allow users, software vendors, and security practitioners to monitor misbehaviour and assess software vulnerabilities for preventing malicious software downloads. Specifically, the proposed solution makes it possible to identify software developers who have gone rogue and are potentially developing malicious software. Furthermore, we introduce an incentive policy for encouraging security engineers, victims and software owners to participate in collaborative works. The outcomes will ensure the wide adoption of a software auditing ecosystem in software markets, specifically for some mobile device manufacturers that have been banned from using the open-source OS such as Android. Consequently, there is a demand for them to verify the application security without completely relying on the OS-specific security mechanisms.

多年来，软件应用程序已经占领了一个巨大的市场，从智能设备（智能手机，智能可穿戴设备）到企业资源管理，包括企业资源计划，办公应用程序和娱乐行业（视频游戏和图形设计应用程序）。多年来，保护软件应用程序的版权以及免受恶意软件的侵害一直是学术界和工业界最为关注的话题。标准解决方案使用软件许可证密钥或依靠操作系统（OS）保护机制，例如Google Play Protect。但是，某些最终用户已经破坏了这些保护措施，以绕过非免费应用程序的付款。他们通过从未经授权的网站下载软件或越狱OS保护机制来做到这一点。结果，他们无法确定所下载的软件是否为恶意软件。此外，如果软件被恶意用户上传到第三方平台，则软件开发人员将无法得知。在这种情况下，不能保证软件的真实性或完整性。在软件平台之间也存在信息透明性的问题。在这项研究中，我们提出了一种基于区块链技术的体系结构，以提供数据透明性，版本可追溯性和可审计性。我们的目标是提供一个开放的框架，允许用户，软件供应商和安全从业人员监视不良行为并评估软件漏洞，以防止恶意软件下载。具体来说，所提出的解决方案使识别出流氓并可能在开发恶意软件的软件开发人员成为可能。此外，我们引入了一项鼓励政策，以鼓励安全工程师，受害者和软件所有者参加协作工作。结果将确保软件审核生态系统在软件市场中得到广泛采用，特别是对于某些禁止使用开源操作系统（例如Android）的移动设备制造商。因此，需要它们在不完全依赖于操作系统特定的安全性机制的情况下验证应用程序的安全性。结果将确保软件审核生态系统在软件市场中得到广泛采用，特别是对于某些禁止使用开源操作系统（例如Android）的移动设备制造商。因此，需要它们在不完全依赖于操作系统特定的安全性机制的情况下验证应用程序的安全性。结果将确保软件审核生态系统在软件市场中得到广泛采用，特别是对于某些禁止使用开源操作系统（例如Android）的移动设备制造商。因此，需要它们在不完全依赖于操作系统特定的安全性机制的情况下验证应用程序的安全性。