Introduction to Dynamic Analysis of Android Application

5,901 views

Published on

Published in: Technology, Education
1 Comment
11 Likes
Statistics
Notes
No Downloads
Views
Total views
5,901
On SlideShare
0
From Embeds
0
Number of Embeds
44
Actions
Shares
0
Downloads
0
Comments
1
Likes
11
Embeds 0
No embeds

No notes for slide

Introduction to Dynamic Analysis of Android Application

  1. 1. Introduction  to  Dynamic  Analysis   of  Android  Application   using  DroidBox Kun  Yang                          kelwya@gmail.com  
  2. 2. What  is  Dynamic  Analysis?•  Dynamic  program  analysis  is  the  analysis  of   computer  so=ware  that  is  performed  by   execuAng  programs  built  from  that  so=ware   system  on  a  real  or  virtual  processor.  
  3. 3. Why  Dynamic  Analysis?•  Dynamic  analysis  is  precise  •  Overcome  AnA-­‐reverse-­‐engineering  •  As  fast  as  program  execuAon  
  4. 4. How  to  do  Dynamic  Analysis?•  Techniques   –  System  hooking –  Dynamic  Taint  Analysis   –  InstrumentaAon  •  Levels   –  ApplicaAon  Framework/Java  level   –  NaAve  library  level   –  Kernel/Driver  level   –  Emulator/QEMU  level  
  5. 5. Android  Architecture QEMU  Based  Emulator
  6. 6. What  is  DroidBox?•  DroidBox  =  Dynamic  Taint  Analysis  +  Hooking   (Both  are  in  applicaAon  framework  level)  •  Monitoring  AcAons   –  InformaAon  leaks   –  Network  IO  and  File  IO   –  Cryptography  operaAons   –  SMS  and  Phone  calls  
  7. 7. TaintDroid  Architecture
  8. 8. DroidBox  Report
  9. 9. DroidBox  Logs  
  10. 10. DroidBox  Logs  
  11. 11. How  to  use  DroidBox?1.  Install  Android  SDK  2.  Install  pylab  and  matplotlib  3.  Download  DroidBox  package  4.  Setup  a  new  AVD  targeAng  Android  2.1  5.  ./startemu.sh  <AVD  name>  6.  ./droidbox.sh  <sample.apk>
  12. 12. Demo  Time!
  13. 13. How  to  Improve  DroidBox?•  PorAng  DroidBox  to  Android  2.3   –  TaintDroid  has  been  ported  to  Android  2.3  •  APK  instrumentaAon(*)   –  PorAng  is  cumbersome  •  InteracAve  analysis  log  •  Cloud  Service
  14. 14. PorAng  Logsdalvik  patch  vm/interp/Taint.h    Changed  TAINT_HISTORY  to  TAINT_BROWSER    Added  value  definiAons  of  some  taint  tags  vm/naAve/dalvik_system_Taint.c    Changed  all  the  log  tags  from  TaintLog  to  DroidBox    Added  an  argument  of  random  value  to  funcAon  Dalvik_dalvik_system_Taint_logPathFromFd  to  match  FdAccess  log  and  FileRW  log,  which  can  tell  what  file  is  being  read  or  wriien    (*)Excluded  some  file  path  started  with  “/dev/pts”,  “/system”,  “/data/app”  and  “/proc/”  which  is  legal    (*)Found  a  bug  in  TaintDroid  for  Android  2.3  that  will  make  the  log  analyzer  fail  to  output  the  correct  final  report  of  FileRW  acAons(I  will  fix  the  bug  in  the  future)  libcore  patch  libcore/crypto/src/main/java/javax/crypto/Cipher.java    Added  a  field  key  to  track  encrypAon  and  decrypAon  keys    Hacked  the  funcAon  init  to  save  encrypAon  and  decrypAon  keys    Hooked  the  funcAon  doFinal  to  log  cryptography  informaAon  libcore/crypto/src/main/java/javax/crypto/spec/SecretKeySpec.java    Modified  the  constructor  of  SecretKeySpec    Added  a  funcAon  getKey  for  other  module  to  log  with  libcore/dalvik/src/main/java/dalvik/system/DexClassLoader.java    Hooked  the  constructor  of  DexClassLoader  to  monitor  dynamic  load  and  execuAon  libcore/dalvik/src/main/java/dalvik/system/Taint.java    Added  and  changed  value  definiAons  of  some  taint  tags  as  we  did  in  Taint.h    Added  a  helper  funcAon  toHex  for  logging    Modified  declaraAon  of  naAve  funcAon  logPathFromFd    libcore/luni/src/main/java/java/io/FileDescriptor.java    Added  3  fields  to  FileDescriptor:  port,  id  and  readBuffer,  which  will  help  to  track.    Hacked  constructor  for  tracking    libcore/luni/src/main/java/java/uAl/ProperAes.java    Set  the  property  Keep-­‐Alive  to  false  by  default  to  avoid  socket  reuse  libcore/luni/src/main/java/org/apache/harmony/luni/plaporm/OSFileSystem.java    Hooked  the  funcAons  read  and  write  to  log  file  operaAons  with  help  of  modified  logPathFromFd    libcore/luni/src/main/java/org/apache/harmony/luni/plaporm/OSNetworkSystem.java    Replaced  the  funcAon  getHostAddress  with  getHostName    Added  taint  sinks  or  logging  in  the  funcAons  connect/connectNonBlocking/send/wirte/sendUrgentData    (*)Many  Network  IO  funcAons  such  as  read  in  Android  2.1  are  moved  to  naAve  code  in  Android  2.3  so  I  did  logging  with  naAve  LOGW  funcAon  in  org_apache_harmony_luni_plaporm_OSNetworkSystem.cpp  libcore/security/src/main/java/java/security/MessageDigest.java    Added  2  fields  to  MessageDigest:  taintTrack  and  taintTag,  which  will  help  to  track    IniAalized  the  two  new  fields  in  the  constructor    Hooked  the  funcAon  digest  to  log  libcore/security/src/main/java/org/apache/harmony/security/PrivateKeyImpl.java  libcore/security/src/main/java/org/apache/harmony/security/provider/crypto/DSAPrivateKeyImpl.java  libcore/security/src/main/java/org/apache/harmony/security/provider/crypto/DSAPublicKeyImpl.java  libcore/security/src/main/java/org/apache/harmony/security/PublicKeyImpl.java  libcore/security/src/main/java/org/apache/harmony/security/x509/X509PublicKey.java    Added  a  funcAon  getKey  to  these  classes  for  other  module  to  log  with  libcore/security/src/main/java/org/bouncycastle/jce/    (*)JCE  library  was  not  found  in  source  code  of  Android  2.3  framework/base  patch  api/current.xml    AutomaAcally  generated  using  the  command:  make  update-­‐api  core/java/android/app/AcAvity.java    Captured  the  phone  call  acAon  in  the  funcAon  startAcAvity  core/java/android/app/ContextImpl.java    Added  taint  sources  in  the  funcAon  getInstalledApplica7on  core/java/android/content/ContentResolver.java    Taint  sources  were  added  by  official  team  of  TaintDroid  in  version  2.3  in  the  funcAon  query  Changed  TAINT_HISTORY  to  TAINT_BROWSER    (*)Instead  of  adding  argument  in  CursorWrapperInner  funcAon  to  log,  DroidBox  for  Android  2.1  also  added  taint  sources  here  by  modifing  the  CursorWrapperInner  funcAon  and  the  constructor  of  class    CursorWrapper,  in  the  Android  2.3  I  chose  the  method  of  TaintDroid  team  which  is  a  liile  easier  core/java/android/content/ContextWrapper.java    Added  hook  in  the  funcAon  startService  to  log  telephony/java/android/telephony/SmsManager.java    Add  hooks  in  sendTextMessage  to  log  telephony/java/android/telephony/TelephonyManager.java    Add  hooks  in  getDeviceId  and  getSubscriberId  to  log  telephony/java/com/android/internal/telephony/PhoneSubInfo.java    Changed  the  return  values  of  getDeviceId  and  getSubscriberId  from  hardcoded  values  to  real  value  to  prevent  emulator  evasion  
  15. 15. How  to  do  InstrumentaAon?•  bytecode  or  IR?  •  I  chose  smali.
  16. 16. What  is  smali?•  smali  is  an  IR(Intermediate  RepresentaAon)  of   Dalvik  Bytecode  •  The  syntax  is  loosely  based  on  Jasmin’s  syntax   –  Jasmin  is  an  assembler/IR  for  the  Java  Virtual   Machine  •  smali/baksmali  is  an  assembler/disassembler   for  the  dex  format  used  by  Dalvik  
  17. 17. smali  typesBasic  types: Classes/Objects:   Lpackage/name/ObjectName   V void   (package.name.ObjectName)   Z   boolean   Ljava/lang/String   B   byte   (java.lang.String)   S   short     C   char   Arrays:   I   int   [I  (int[])     [[I  =  int[][],  [[[I  =  int[][][]   J   long  (64  bits)     F   float   Arrays  of  objects:   D   double  (64  bits)   [Ljava/lang/String  (an  array  of   Strings)  
  18. 18. smali  methods&fields•  Methods:  Lpackage/name/ObjectName;-­‐>MethodName(III)Z            Example:            method(I[[IILjava/lang/String;[Ljava/lang/Object;)Ljava/lang/String;                is  equivalent  to  :            String  method(int,  int[][],  int,  String,  Object[])  •  Fields:  Lpackage/name/ObjectName;-­‐>FieldName:Ljava/lang/String;
  19. 19. smali  example
  20. 20. APKIL:  APK  InstrumentaAon  Library•  Current  Work   –  Parsed  smali  files  into  tree  structure   –  Implemented  some  instrumentaAon  API  for   Monitoring  Android  API  specified  •  Future  Work   –  Add  more  flexible  and  richer  instrumentaAon  API  
  21. 21. Demo  Time!
  22. 22. References  •  Android  source:  hip://source.android.com  •  DroidBox:  hip://code.google.com/p/ droidbox/  •  TaintDroid:  hip://appanalysis.org/  •  smali:  hip://code.google.com/p/smali/  •  DroidBox  Improvements:  hip:// www.honeynet.org/gsoc/slot11  •  APKIL:  hip://github.com/kelwin/apkil  
  23. 23. Q&A

×