Introduction to branch coverage
- Branch coverage is an important analysis to record program runtime execution.
- By instrumentation, we are able to collect information of branch taken when application is running
- With the static information collected at instrumentation time, we will be able to give a coverage report on the fly
- Since we provide full coverage, it's also possible to collect coverage report for the library code.
Introduction to network track analysis
- It can be used to track all network-related operations(Java), and record all connection built and data sent or received
- Android application with android.permission.INTERNET, can access to the network. When an application is running, it's hard to detect network use.
- Java provides various way to write to a network connection (Writer, OutputStream, ...), and Android also provides a rich range of network API. Detecting network usage by static analysis is limited
- In this case study, we are instrumenting the library code related to network connection (libcore.io.IoBridge), bind, send, and receive. We maintain the data sent/received for each connection, which can be used for further analysis
Introduction to permission detection
- Not all of the applications can have access to some sensitive APIs on Android, since they are protected by the permission system. When an application invokes an API which requires some permission, it will send a request to system server via Binder. Only permited by the system server, the application will be able to continue the API invocation.
- Code obfuscation and reflection have made static analysis difficult for detecting runtime permission usage.
- The check of the permission is out of the app process. How to build the connection between a permission check at the system server and an API call at the app process is important to get a full track of permission usage at runtime.
- With our support for IPC Binder event, we are able to do control flow analysis among different processes. We will keep the causal order of the original events at our analysis server. In this case, we are able to get the report for permission usage on the fly.
-
Filter by
- core.jar
- instrument libcore.io.IoBridge to track network operation
- framework.jar
- instrument android.app.ActivityManager to detect all permissions checked by system server
- target applications(contacts.apk, example, xphonefree)
- instrument method entries and method exits to provide runtime stack information
- instrument all branch related bytecode to get branch coverage report
- instrumentation server
- ip: 10.0.2.2
- port: 6667
- analysis server
- ip: 10.0.2.2
- port: 6668
- system_server
- track permission check, and IPC events
- com.android.phone
- track permission check, and IPC events
- com.android.contacts
- target app process
- ch.usi.dag.android.example
- target app process
- pixelrush.xphonefree
- target app process