Introduction to branch coverage

Branch coverage is an important analysis to record program runtime execution.
By instrumentation, we are able to collect information of branch taken when application is running
With the static information collected at instrumentation time, we will be able to give a coverage report on the fly
Since we provide full coverage, it's also possible to collect coverage report for the library code.

Introduction to network track analysis

It can be used to track all network-related operations(Java), and record all connection built and data sent or received
Android application with android.permission.INTERNET, can access to the network. When an application is running, it's hard to detect network use.
Java provides various way to write to a network connection (Writer, OutputStream, ...), and Android also provides a rich range of network API. Detecting network usage by static analysis is limited
In this case study, we are instrumenting the library code related to network connection (, bind, send, and receive. We maintain the data sent/received for each connection, which can be used for further analysis

Introduction to permission detection

Not all of the applications can have access to some sensitive APIs on Android, since they are protected by the permission system. When an application invokes an API which requires some permission, it will send a request to system server via Binder. Only permited by the system server, the application will be able to continue the API invocation.
Code obfuscation and reflection have made static analysis difficult for detecting runtime permission usage.
The check of the permission is out of the app process. How to build the connection between a permission check at the system server and an API call at the app process is important to get a full track of permission usage at runtime.
With our support for IPC Binder event, we are able to do control flow analysis among different processes. We will keep the causal order of the original events at our analysis server. In this case, we are able to get the report for permission usage on the fly.
Filter by
instrument to track network operation
instrument to detect all permissions checked by system server
target applications(contacts.apk, example, xphonefree)
instrument method entries and method exits to provide runtime stack information
instrument all branch related bytecode to get branch coverage report
instrumentation server
port: 6667
analysis server
port: 6668
track permission check, and IPC events
track permission check, and IPC events
target app process
target app process
target app process