This document describes Androsia, a tool that analyzes Android applications to determine the last usage points of StringBuilder objects that may contain sensitive data. It uses the Soot framework to convert Dalvik bytecode to Jimple code and perform an interprocedural data flow analysis. The analysis computes summaries for each method specifying the last usage points of local variables and static fields. These summaries are then used to determine the last usage points of StringBuilder objects at the whole program level to ensure sensitive data is cleared.

1. Androsia
A step ahead in securing in-memory Android application data

2. C:>whoami
• Samit Anwer
• Product Security Team @Citrix R&D India Pvt Ltd
• Web/Mobile App Security Enthusiast
• Speaker:
• AppSec USA (Orlando, USA),
• c0c0n (Cochin, India),
• IEEE Services (Anchorage, Alaska),
• ACM MobileSOFT, ICSE (Hyderabad, India),
• IEEE CloudCom (Bristol, UK)
• Email: samit.anwer@gmail.com, Twitter: @samitanwer1, LinkedIn

3. Agenda
• Takeaway
• Motivation
• Background
• Approach
• Work In Progress

4. Takeaway

5. • How to determine last use of objects at a whole program level?
• We use a summary based inter-procedural data-flow analysis
Takeaway
81 2 3 4 5 6 7 9 10
def x use xdef x use x
second
initialization
Img. ref: https://blog.fastthread.io/2016/07/06/troubleshoot-outofmemoryerror-unable-to-create-new-native-thread/

6. Motivation

7. • Authentication credentials,
• Authorization tokens,
• En/decryption keys,
• PINs,
• OTPs,
• PII
Objects may contain sensitive information

8. Want to ensure object’s content gets cleared?
Myth:
Forgotten References
 Memory Leak
Unreachable objects  Garbage
Reachable objects
GC Roots
Ref: https://www.dynatrace.com/resources/ebooks/javabook/how-garbage-collection-works/
Reality:

9. Resetting StringBuilder objects
• Unused/reachable StringBuilder objects may contain sensitive information
• A heap dump will reveal the sensitive info
• Don’t just rely on GC to clear sensitive content
• Destroy by overwriting all critical data
Ref: https://www.pentestpartners.com/security-blog/how-to-extract-sensitive-plaintext-data-from-android-memory/?doing_wp_cron=1500911283.6790690422058105468750

10. java.security.* falls short

11. Eclipse Memory Analyzer
Heap Dump - Before
Instrumentation
Heap Dump - After
Instrumentation

12. Background

13. Static Code analysis using Soot
• Soot - framework for Java (bytecode),
enables development of static
analysis tools
• Provides three-address code called
Jimple
• Supports implementing dataflow
analyses:
• Intra-procedural
• Inter-procedural
• Soot was missing a Dalvik to Jimple
transformation module
Then came Dexpler
Soot Workflow
Dalvik

14. Further reading:
Instrumenting Android Apps with Soot, http://www.bodden.de/2013/01/08/soot-
android-instrumentation/
Dexpler: Converting Android Dalvik Bytecode to Jimple for Static Analysis with Soot,
https://arxiv.org/pdf/1205.3576.pdf
• Android apps don’t have a main method
• FlowDroid generates dummyMainMethod()
• Models Android’s lifecycle methods &
callbacks
FlowDroid
Img. ref: https://developer.android.com/reference/android/app/Activity.html#ActivityLifecycle

15. Design Overview
6. Repack & Sign APK
OR
Provide Analysis
Results
1. Shares source OR APK
2. Unpack
Developer
/ User of
the app
Server
3. Convert
Androsia
5. Convert
4. Transform/Instrument Jimple
Code
Dex
7. Transformed APK/Results

16. SB Objects – In what scopes can they exist?
public void foo(){
SB x, y, z;
[x = new SB(“s3cr3t”);]1
[y = new SB(“p@55w0rd”);]2
[if(y.length() < x.length()){
[z = y;]4
} else{
[z = y.append(“007”);]5
}]3
class MyClass{
static SB x;
public static void foo(){
SB y, z;
[x = new SB(“s3cr3t”);]1
[y = new SB(“p@55w0rd”);]2
[if(y.length() < x.length()) {
[z = y;]4
} else{
bar();5
}]3
}}
public static void bar(){
System.out.println(MyClass.x);
}
Local variable Static Field
Abbrev.
SB: StringBuilder

17. Instance Field
class MyClass
{
private SB x;
public SB getSBx(){
return x;
}
public SB setSBx(SB str){
x=str;
}
}
public static void foo(){
MyClass obj = new MyClass();
SB str= new SB();
obj.setSBx(str)
S.O.P(obj.getSBx());
}

18. public class MainActivity
{
protected void onCreate(Bundle b) {
User.static_secret= new SB("p@55w0rd");
CheckStatic cs= new CheckStatic();
cs.useStaticField();
}
}
Demo - Static SB
public class User {
public static SB static_secret;
}
public class CheckStatic {
public void useStaticField()
{
S.O.P(User.static_secret);
bar();
}
public void bar()
{
S.O.P(User.static_secret);
}
}
But life is not always so simple
- There can be loopsDEMO

19. Approach

20. What’s there in a line of code?
• What data are we interested in?
Next few slides:
• What is live variable analysis?
• How to compute Summary for every method?
e.g. Summary(foo) = ( x , if(y.length() < x.length()))
 Step 1: Compute def-use set for every statement
 Step 2: Compute LVentry & LVexit set for every statement
 LVentry & LVexit  Last Usage Point (LUP) for Local / Static Field Ref. (SFR) within a method  Summary
• How to use summaries to compute LUP for a SFR at a whole program level?
Data
Liveness

21. • LV analysis determines
• For each statement, which variables must have a subsequent USE prior to
next definition of that variable
Live Variable Analysis
x
y
z
public void foo(){
SB x, y, z;
[x = new SB(“s3cr3t”);]1
[y = new SB(“p@55w0rd”);]2
[x = new SB(“hello”);]3
[if(y.length() < x.length()) {
}]4
[z = y;]5
[z = y.append(“007”);]6
[x = z;]7
} else{
Abbrev.
SB: StringBuilder
Last Usage Point of a var ≅
Last stmt where that var was live
}

22. 1. Compute def-use Set
• def set: variables defined in the statement
• use Set: variables evaluated/used in the statement
public void foo(){
SB x, y, z;
[x = new SB(“s3cr3t”);]1
[y = new SB(“p@55w0rd”);]2
[x = new SB(“hello”);]3
[if(y.length() < x.length()) {
[z = y;]5
} else{
[z = y.append(“007”);]6
}]4
[x = z;]7
}
Abbrev.
SB: StringBuilder

23. 1. Compute def-use Set (cntd.)
SB x, y, z;
[x = new SB(“s3cr3t”);]1
[y = new SB(“p@55w0rd”);]2
[x = new SB(“hello”);]3
[if(y.length() < x.length()){
[z = y;]5
}
else{
[z = y.append(“007”);]6
}]4
[x = z;]7
I def(l) use(l)
1 { x } ∅
2 { y } ∅
3 { x } ∅
4 ∅ { x, y }
5 { z } { y }
6 { z } { y }
7 { x } { z }

24. LVentry(6)
LVexit(6)
LVexit(4)
LVentry(4)
LVentry(3)
LVexit(3)
1
3 4
5
6
LVentry(2)
LVentry(1)
LVentry(5)
2
LVexit(5)
LVexit(2)
LVexit(1)
LV Data Flow Direction

25. 2. Compute LVentry (l) & LVexit(l)
• Hence the flow equations can be expressed using the two functions:
LVexit (l) = ∅ , if l = blast
∪s ∈ succ [l] {LVentry (s)} , otherwise
LVentry (l) = ( LVexit (l) – def(l) ) ∪ use(l)

26. 3: Compute LVentry (l) & LVexit(l)
public void foo(){
SB x;SB y;SB z;
[x = new SB(“s3cr3t”);]1
[y = new SB(“p@55w0rd”);]2
[x = new SB(“hello”);]3
[if(y.length() < x.length()) {
[z = y;]5
} else{
[z = y.append(“007”);]6
}]4
[x = z;]7
LVentry(7) { z }
LVexit(7) ∅
LVentry(6) { y }
LVexit(6) { z }
LVentry(5) { y }
LVexit(5) { z }
LVentry(4) { x, y }
LVexit(4) { y }
LVentry(3) { y }
LVexit(3) { x, y }
LVentry(2) { ∅ }
LVexit(2) { y }I def(l) use(l)
1 { x } ∅
2 { y } ∅
3 { x } ∅
4 ∅ { x, y }
5 { z } { y }
6 { z } { y }
7 { x } { z }
Summary(foo) = { Local, LUP( Local / Aliases ) }
OR
{ StaticFieldRef, LUP( SFR / Aliases ) }
I LVentry(l) LVexit(l)
1 ∅ ∅
2 ∅ { y }
3 { x, y }
4 { x, y } { y }
5 { y } { z }
6 { y } { z }
7 { z } ∅
{ y }
LVentry(3) { y }
LVexit(3) { x, y }
LVentry (l) = ( LVexit (l) – def(l) ) ∪ use(l)

27. Summary is computed in reverse topological order
public void foo(){
A1
A2
A3 bar();
A4
A5
}
public void bar(){
B1
B2
B3 baz();
B4
B5 sfr used
}
public void baz(){
C1
C2
C3
C4 sfr used
C5
C6
}
Summ(baz)
LVexit (B3) = LVentry(B4) = {sfr, B5}
Summ(bar)
LVexit (A3) = LVentry(A4) = {∅}
Summ(baz) = {sfr, C4}
{ baz, (sfr,C4) }
Program level last use for “sfr” happens at:
Summ(bar) = {sfr, B5}
{ bar, (sfr,B5) }
Summ(bar) = {sfr, ∅}
LVentry(C4) = {sfr, C4}
LVentry(B5) = {sfr, B5}

28. • What is live variable analysis?
• How to compute Summary for every method?
e.g. Summary(foo) = ( x , if(y.length() < x.length()))
Step 1: Compute def-use set for every statement
Step 2: Compute LVentry & LVexit set for every statement
 LVentry & LVexit  Last Usage Point (LUP) for Local / Static Field Ref. (SFR) within a
method  Summary
• How to use summaries to compute LUP for a SFR at a whole program level?
Summarizing:

29. Instance Field Variable - Approach
1. Mark all classes which have StringBuilder Instance Field/s
2. Find their object instances
3. Track Last Usage of object instances & their aliases instead of SB
Fields
4. Add reset method/s to respective classes

30. Instance Field
class MyClass
{
private SB a;
public SB setA(SB str){
a=str;
}
public void resetSb_A(){
……..
}
}
public class MainActivity{
public static void onCreate(){
SB my_secret= new SB(“S3cr3t”);
MyClass mc = new MyClass();
Wrapper w = new Wrapper();
w.callW(mc, my_secret);
resetSb_A();
}
}
DEMO
public class Wrapper {
public void callW( MyClass mc, SB my_secret ){
mc.setA(my_secret);
}
}
Last use of “mc”
1. Mark all classes which have StringBuilder Instance Field/s
2. Find their object instances
3. Track Last Usage of object instances
4. Add reset method/s to MyClass
Instrumented Code

31. • Test Suite development
• CI/CD adoption
• Documentation + Code will be in my GitHub Repo -
https://github.com/samitanwer/Androsia (Private as of now)
Work In Progress

32. References
1. Implementing an intra procedural data flow analysis in Soot,
https://github.com/Sable/soot/wiki/Implementing-an-intra-procedural-data-flow-analysis-in-Soot
2. Instrumenting Android Apps with Soot, http://www.bodden.de/2013/01/08/soot-android-
instrumentation
3. Dexpler: Converting Android Dalvik Bytecode to Jimple for Static Analysis with Soot,
https://arxiv.org/pdf/1205.3576.pdf
4. Precise Interprocedural Dataflow Analysis via Graph Reachability,
https://courses.cs.washington.edu/courses/cse590md/01sp/w1l2.pdf
5. Slides by Matthew B. Dwyer and Robby, University of Nebraska-Lincoln, Kansas State University