It can be used to track all network-related operations(Java), and record all connection built and data sent or received
Android application with android.permission.INTERNET, can access to the network. When an application is running, it's hard to detect network use.
Java provides various way to write to a network connection (Writer, OutputStream, ...), and Android also provides a rich range of network API. Detecting network usage by static analysis is limited
In this case study, we are instrumenting the library code related to network connection (libcore.io.IoBridge), bind, send, and receive. We maintain the data sent/received for each connection, which can be used for further analysis
Not all of the applications can have access to some sensitive APIs on Android, since they are protected by the permission system. When an application invokes an API which requires some permission, it will send a request to system server via Binder. Only permited by the system server, the application will be able to continue the API invocation.
Code obfuscation and reflection have made static analysis difficult for detecting runtime permission usage.
The check of the permission is out of the app process. How to build the connection between a permission check at the system server and an API call at the app process is important to get a full track of permission usage at runtime.
With our support for IPC Binder event, we are able to do control flow analysis among different processes. We will keep the causal order of the original events at our analysis server. In this case, we are able to get the report for permission usage on the fly.