SlideShare a Scribd company logo

Introduction to Dynamic Analysis of Android Application

Kelwin Yang
Kelwin Yang

This document introduces dynamic analysis of Android applications using DroidBox. It describes what dynamic analysis is, why it is used, and how to perform it. It then provides details on DroidBox, including what it is, how it works, how to use it, and ideas for improving it. DroidBox performs dynamic taint analysis and hooking at the application framework level to monitor app actions like information leaks, network/file I/O, and cryptography operations. The document includes code snippets showing how DroidBox was ported to Android 2.3.

1 of 23
Introduction  to  Dynamic  Analysis   of  Android  Application   using  DroidBox Kun  Yang                          kelwya@gmail.com  
What  is  Dynamic  Analysis? •  Dynamic  program  analysis  is  the  analysis  of   computer  so=ware  that  is  performed  by   execuAng  programs  built  from  that  so=ware   system  on  a  real  or  virtual  processor.  
Why  Dynamic  Analysis? •  Dynamic  analysis  is  precise   •  Overcome  AnA-­‐reverse-­‐engineering   •  As  fast  as  program  execuAon  
How  to  do  Dynamic  Analysis? •  Techniques   –  System  hooking –  Dynamic  Taint  Analysis   –  InstrumentaAon   •  Levels   –  ApplicaAon  Framework/Java  level   –  NaAve  library  level   –  Kernel/Driver  level   –  Emulator/QEMU  level  
Android  Architecture QEMU  Based  Emulator
What  is  DroidBox? •  DroidBox  =  Dynamic  Taint  Analysis  +  Hooking   (Both  are  in  applicaAon  framework  level)   •  Monitoring  AcAons   –  InformaAon  leaks   –  Network  IO  and  File  IO   –  Cryptography  operaAons   –  SMS  and  Phone  calls  
TaintDroid  Architecture
DroidBox  Report
DroidBox  Logs  
DroidBox  Logs  
How  to  use  DroidBox? 1.  Install  Android  SDK   2.  Install  pylab  and  matplotlib   3.  Download  DroidBox  package   4.  Setup  a  new  AVD  targeAng  Android  2.1   5.  ./startemu.sh  <AVD  name>   6.  ./droidbox.sh  <sample.apk>
Demo  Time!
How  to  Improve  DroidBox? •  PorAng  DroidBox  to  Android  2.3   –  TaintDroid  has  been  ported  to  Android  2.3   •  APK  instrumentaAon(*)   –  PorAng  is  cumbersome   •  InteracAve  analysis  log   •  Cloud  Service
PorAng  Logs dalvik  patch   vm/interp/Taint.h    Changed  TAINT_HISTORY  to  TAINT_BROWSER    Added  value  definiAons  of  some  taint  tags   vm/naAve/dalvik_system_Taint.c    Changed  all  the  log  tags  from  TaintLog  to  DroidBox    Added  an  argument  of  random  value  to  funcAon  Dalvik_dalvik_system_Taint_logPathFromFd  to  match  FdAccess  log  and  FileRW  log,  which  can  tell  what  file  is  being  read  or  wriien    (*)Excluded  some  file  path  started  with  “/dev/pts”,  “/system”,  “/data/app”  and  “/proc/”  which  is  legal    (*)Found  a  bug  in  TaintDroid  for  Android  2.3  that  will  make  the  log  analyzer  fail  to  output  the  correct  final  report  of  FileRW  acAons(I  will  fix  the  bug  in  the  future)   libcore  patch   libcore/crypto/src/main/java/javax/crypto/Cipher.java    Added  a  field  key  to  track  encrypAon  and  decrypAon  keys    Hacked  the  funcAon  init  to  save  encrypAon  and  decrypAon  keys    Hooked  the  funcAon  doFinal  to  log  cryptography  informaAon   libcore/crypto/src/main/java/javax/crypto/spec/SecretKeySpec.java    Modified  the  constructor  of  SecretKeySpec    Added  a  funcAon  getKey  for  other  module  to  log  with   libcore/dalvik/src/main/java/dalvik/system/DexClassLoader.java    Hooked  the  constructor  of  DexClassLoader  to  monitor  dynamic  load  and  execuAon   libcore/dalvik/src/main/java/dalvik/system/Taint.java    Added  and  changed  value  definiAons  of  some  taint  tags  as  we  did  in  Taint.h    Added  a  helper  funcAon  toHex  for  logging    Modified  declaraAon  of  naAve  funcAon  logPathFromFd     libcore/luni/src/main/java/java/io/FileDescriptor.java    Added  3  fields  to  FileDescriptor:  port,  id  and  readBuffer,  which  will  help  to  track.    Hacked  constructor  for  tracking    libcore/luni/src/main/java/java/uAl/ProperAes.java    Set  the  property  Keep-­‐Alive  to  false  by  default  to  avoid  socket  reuse   libcore/luni/src/main/java/org/apache/harmony/luni/plaporm/OSFileSystem.java    Hooked  the  funcAons  read  and  write  to  log  file  operaAons  with  help  of  modified  logPathFromFd    libcore/luni/src/main/java/org/apache/harmony/luni/plaporm/OSNetworkSystem.java    Replaced  the  funcAon  getHostAddress  with  getHostName    Added  taint  sinks  or  logging  in  the  funcAons  connect/connectNonBlocking/send/wirte/sendUrgentData    (*)Many  Network  IO  funcAons  such  as  read  in  Android  2.1  are  moved  to  naAve  code  in  Android  2.3  so  I  did  logging  with  naAve  LOGW  funcAon  in   org_apache_harmony_luni_plaporm_OSNetworkSystem.cpp   libcore/security/src/main/java/java/security/MessageDigest.java    Added  2  fields  to  MessageDigest:  taintTrack  and  taintTag,  which  will  help  to  track    IniAalized  the  two  new  fields  in  the  constructor    Hooked  the  funcAon  digest  to  log   libcore/security/src/main/java/org/apache/harmony/security/PrivateKeyImpl.java   libcore/security/src/main/java/org/apache/harmony/security/provider/crypto/DSAPrivateKeyImpl.java   libcore/security/src/main/java/org/apache/harmony/security/provider/crypto/DSAPublicKeyImpl.java   libcore/security/src/main/java/org/apache/harmony/security/PublicKeyImpl.java   libcore/security/src/main/java/org/apache/harmony/security/x509/X509PublicKey.java    Added  a  funcAon  getKey  to  these  classes  for  other  module  to  log  with   libcore/security/src/main/java/org/bouncycastle/jce/    (*)JCE  library  was  not  found  in  source  code  of  Android  2.3   framework/base  patch   api/current.xml    AutomaAcally  generated  using  the  command:  make  update-­‐api   core/java/android/app/AcAvity.java    Captured  the  phone  call  acAon  in  the  funcAon  startAcAvity   core/java/android/app/ContextImpl.java    Added  taint  sources  in  the  funcAon  getInstalledApplica7on   core/java/android/content/ContentResolver.java    Taint  sources  were  added  by  official  team  of  TaintDroid  in  version  2.3  in  the  funcAon  query   Changed  TAINT_HISTORY  to  TAINT_BROWSER    (*)Instead  of  adding  argument  in  CursorWrapperInner  funcAon  to  log,  DroidBox  for  Android  2.1  also  added  taint  sources  here  by  modifing  the  CursorWrapperInner  funcAon  and  the  constructor  of  class    CursorWrapper,  in  the  Android  2.3  I  chose  the  method  of  TaintDroid  team  which  is  a  liile  easier   core/java/android/content/ContextWrapper.java    Added  hook  in  the  funcAon  startService  to  log   telephony/java/android/telephony/SmsManager.java    Add  hooks  in  sendTextMessage  to  log   telephony/java/android/telephony/TelephonyManager.java    Add  hooks  in  getDeviceId  and  getSubscriberId  to  log   telephony/java/com/android/internal/telephony/PhoneSubInfo.java    Changed  the  return  values  of  getDeviceId  and  getSubscriberId  from  hardcoded  values  to  real  value  to  prevent  emulator  evasion  
How  to  do  InstrumentaAon? •  bytecode  or  IR?   •  I  chose  smali.
What  is  smali? •  smali  is  an  IR(Intermediate  RepresentaAon)  of   Dalvik  Bytecode   •  The  syntax  is  loosely  based  on  Jasmin’s  syntax   –  Jasmin  is  an  assembler/IR  for  the  Java  Virtual   Machine   •  smali/baksmali  is  an  assembler/disassembler   for  the  dex  format  used  by  Dalvik  
smali  types Basic  types: Classes/Objects:   Lpackage/name/ObjectName   V void   (package.name.ObjectName)   Z   boolean   Ljava/lang/String   B   byte   (java.lang.String)   S   short     C   char   Arrays:   I   int   [I  (int[])     [[I  =  int[][],  [[[I  =  int[][][]   J   long  (64  bits)     F   float   Arrays  of  objects:   D   double  (64  bits)   [Ljava/lang/String  (an  array  of   Strings)  
smali  methods&fields •  Methods:  Lpackage/name/ObjectName;-­‐>MethodName(III)Z            Example:            method(I[[IILjava/lang/String;[Ljava/lang/Object;)Ljava/lang/String;                is  equivalent  to  :            String  method(int,  int[][],  int,  String,  Object[])   •  Fields:  Lpackage/name/ObjectName;-­‐>FieldName:Ljava/lang/String;
smali  example
APKIL:  APK  InstrumentaAon  Library •  Current  Work   –  Parsed  smali  files  into  tree  structure   –  Implemented  some  instrumentaAon  API  for   Monitoring  Android  API  specified   •  Future  Work   –  Add  more  flexible  and  richer  instrumentaAon  API  
Demo  Time!
References   •  Android  source:  hip://source.android.com   •  DroidBox:  hip://code.google.com/p/ droidbox/   •  TaintDroid:  hip://appanalysis.org/   •  smali:  hip://code.google.com/p/smali/   •  DroidBox  Improvements:  hip:// www.honeynet.org/gsoc/slot11   •  APKIL:  hip://github.com/kelwin/apkil  
Q&A

More Related Content

What's hot

Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
kunwaratul hax0r
 
An Introduction to the Android Framework -- a core architecture view from app...
An Introduction to the Android Framework -- a core architecture view from app...An Introduction to the Android Framework -- a core architecture view from app...
An Introduction to the Android Framework -- a core architecture view from app...
William Liang
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Scalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IPScalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IP
Dai Yang
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
CrowdStrike
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
antitree
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android App
Abhilash Venkata
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
Olakanmi Oluwole
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
amiable_indian
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
n|u - The Open Security Community
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: Revolutions
Sounil Yu
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
Chandrapal Badshah
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
Vi Tính Hoàng Nam
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
Sounil Yu
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 

What's hot (20)

Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
An Introduction to the Android Framework -- a core architecture view from app...
An Introduction to the Android Framework -- a core architecture view from app...An Introduction to the Android Framework -- a core architecture view from app...
An Introduction to the Android Framework -- a core architecture view from app...
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Scalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IPScalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IP
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android App
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: Revolutions
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
 

Viewers also liked

Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBox
Kelwin Yang
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
Microsoft word mengurus perubahan
Microsoft word mengurus perubahanMicrosoft word mengurus perubahan
Microsoft word mengurus perubahan
Faizzah Izam
 
Project proposal
Project proposalProject proposal
Project proposal
Moeed Awais
 
LAP TRINH C - SESSION 2
LAP TRINH C - SESSION 2LAP TRINH C - SESSION 2
LAP TRINH C - SESSION 2
pnanhvn
 
Web hacking
Web hackingWeb hacking
Web hacking
Prashant Vashisht
 
Code4lib2013.09.01 fujiwara
Code4lib2013.09.01 fujiwaraCode4lib2013.09.01 fujiwara
Code4lib2013.09.01 fujiwara
Takeshi Fujiwara
 
17. cocos2d 기초
17. cocos2d 기초17. cocos2d 기초
17. cocos2d 기초
Sangon Lee
 
Car Trading Meeting
Car Trading MeetingCar Trading Meeting
Car Trading Meeting
CarsOnTheWeb
 
City
CityCity
City
ICDF
 
Freello #Expo2015 #Milano
Freello #Expo2015 #MilanoFreello #Expo2015 #Milano
Freello #Expo2015 #Milano
Francesco Pieragostini
 
нам год
нам годнам год
нам год
Liubov Zhizhina
 
Marco Gelmetti
Marco GelmettiMarco Gelmetti
Marco Gelmetti
pedagogiaglobale
 
Diabetes, Cardiovascular &amp; Renal Complications
Diabetes, Cardiovascular &amp; Renal ComplicationsDiabetes, Cardiovascular &amp; Renal Complications
Diabetes, Cardiovascular &amp; Renal Complications
nhussain12
 
Bark & Co
Bark & CoBark & Co
Bark & Co
Amirah Morss
 
Freshwater Matters from the FBA
Freshwater Matters from the FBAFreshwater Matters from the FBA
Freshwater Matters from the FBA
Lancaster University
 
Harmony Ambassador Tour 2012
Harmony Ambassador Tour 2012Harmony Ambassador Tour 2012
Harmony Ambassador Tour 2012
Harmony Family Center
 
Law of sacrifice
Law of sacrificeLaw of sacrifice
Law of sacrifice
Neel Bajpai
 

Viewers also liked (20)

Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBox
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Microsoft word mengurus perubahan
Microsoft word mengurus perubahanMicrosoft word mengurus perubahan
Microsoft word mengurus perubahan
 
Project proposal
Project proposalProject proposal
Project proposal
 
LAP TRINH C - SESSION 2
LAP TRINH C - SESSION 2LAP TRINH C - SESSION 2
LAP TRINH C - SESSION 2
 
Web hacking
Web hackingWeb hacking
Web hacking
 
Code4lib2013.09.01 fujiwara
Code4lib2013.09.01 fujiwaraCode4lib2013.09.01 fujiwara
Code4lib2013.09.01 fujiwara
 
17. cocos2d 기초
17. cocos2d 기초17. cocos2d 기초
17. cocos2d 기초
 
Car Trading Meeting
Car Trading MeetingCar Trading Meeting
Car Trading Meeting
 
Laranjondo
LaranjondoLaranjondo
Laranjondo
 
City
CityCity
City
 
Freello #Expo2015 #Milano
Freello #Expo2015 #MilanoFreello #Expo2015 #Milano
Freello #Expo2015 #Milano
 
нам год
нам годнам год
нам год
 
Tecno2
Tecno2Tecno2
Tecno2
 
Marco Gelmetti
Marco GelmettiMarco Gelmetti
Marco Gelmetti
 
Diabetes, Cardiovascular &amp; Renal Complications
Diabetes, Cardiovascular &amp; Renal ComplicationsDiabetes, Cardiovascular &amp; Renal Complications
Diabetes, Cardiovascular &amp; Renal Complications
 
Bark & Co
Bark & CoBark & Co
Bark & Co
 
Freshwater Matters from the FBA
Freshwater Matters from the FBAFreshwater Matters from the FBA
Freshwater Matters from the FBA
 
Harmony Ambassador Tour 2012
Harmony Ambassador Tour 2012Harmony Ambassador Tour 2012
Harmony Ambassador Tour 2012
 
Law of sacrifice
Law of sacrificeLaw of sacrifice
Law of sacrifice
 

Similar to Introduction to Dynamic Analysis of Android Application

Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability Systems
Marcelo Pinheiro
 
Java se7 features
Java se7 featuresJava se7 features
Java se7 features
Kumaraswamy M
 
Meetup 2022 - APIs with Quarkus.pdf
Meetup 2022 - APIs with Quarkus.pdfMeetup 2022 - APIs with Quarkus.pdf
Meetup 2022 - APIs with Quarkus.pdf
Red Hat
 
Why Laravel?
Why Laravel?Why Laravel?
Why Laravel?
Jonathan Goode
 
Custom Buildpacks and Data Services
Custom Buildpacks and Data ServicesCustom Buildpacks and Data Services
Custom Buildpacks and Data Services
Tom Kranz
 
Whoops! Where did my architecture go?
Whoops! Where did my architecture go?Whoops! Where did my architecture go?
Whoops! Where did my architecture go?
Oliver Gierke
 
Distributed Programming using RMI
Distributed Programming using RMI Distributed Programming using RMI
Distributed Programming using RMI
backdoor
 
Distributed Programming using RMI
Distributed Programming using RMIDistributed Programming using RMI
Distributed Programming using RMI
backdoor
 
Logging & Metrics with Docker
Logging & Metrics with DockerLogging & Metrics with Docker
Logging & Metrics with Docker
Stefan Zier
 
The use of Symfony2 @ Overblog
The use of Symfony2 @ OverblogThe use of Symfony2 @ Overblog
The use of Symfony2 @ Overblog
Xavier Hausherr
 
Android MVVM architecture using Kotlin, Dagger2, LiveData, MediatorLiveData
Android MVVM architecture using Kotlin, Dagger2, LiveData, MediatorLiveDataAndroid MVVM architecture using Kotlin, Dagger2, LiveData, MediatorLiveData
Android MVVM architecture using Kotlin, Dagger2, LiveData, MediatorLiveData
Waheed Nazir
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
securityxploded
 
JavaOne 2009 BOF-5189 Griffon In Depth
JavaOne 2009 BOF-5189 Griffon In DepthJavaOne 2009 BOF-5189 Griffon In Depth
JavaOne 2009 BOF-5189 Griffon In Depth
Danno Ferrin
 
Dost.jar and fo.jar
Dost.jar and fo.jarDost.jar and fo.jar
Dost.jar and fo.jar
Suite Solutions
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malware
ZongXian Shen
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Jérémy Derussé
 
Creating a modern web application using Symfony API Platform, ReactJS and Red...
Creating a modern web application using Symfony API Platform, ReactJS and Red...Creating a modern web application using Symfony API Platform, ReactJS and Red...
Creating a modern web application using Symfony API Platform, ReactJS and Red...
Jesus Manuel Olivas
 
Real World Android Akka
Real World Android AkkaReal World Android Akka
Real World Android Akka
Taisuke Oe
 
Android cameraoverview
Android cameraoverviewAndroid cameraoverview
Android cameraoverview
Madhu Selvarangam
 

Similar to Introduction to Dynamic Analysis of Android Application (20)

Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability Systems
 
Java se7 features
Java se7 featuresJava se7 features
Java se7 features
 
Meetup 2022 - APIs with Quarkus.pdf
Meetup 2022 - APIs with Quarkus.pdfMeetup 2022 - APIs with Quarkus.pdf
Meetup 2022 - APIs with Quarkus.pdf
 
Why Laravel?
Why Laravel?Why Laravel?
Why Laravel?
 
Custom Buildpacks and Data Services
Custom Buildpacks and Data ServicesCustom Buildpacks and Data Services
Custom Buildpacks and Data Services
 
Whoops! Where did my architecture go?
Whoops! Where did my architecture go?Whoops! Where did my architecture go?
Whoops! Where did my architecture go?
 
Distributed Programming using RMI
Distributed Programming using RMI Distributed Programming using RMI
Distributed Programming using RMI
 
Distributed Programming using RMI
Distributed Programming using RMIDistributed Programming using RMI
Distributed Programming using RMI
 
Logging & Metrics with Docker
Logging & Metrics with DockerLogging & Metrics with Docker
Logging & Metrics with Docker
 
The use of Symfony2 @ Overblog
The use of Symfony2 @ OverblogThe use of Symfony2 @ Overblog
The use of Symfony2 @ Overblog
 
Android MVVM architecture using Kotlin, Dagger2, LiveData, MediatorLiveData
Android MVVM architecture using Kotlin, Dagger2, LiveData, MediatorLiveDataAndroid MVVM architecture using Kotlin, Dagger2, LiveData, MediatorLiveData
Android MVVM architecture using Kotlin, Dagger2, LiveData, MediatorLiveData
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
 
JavaOne 2009 BOF-5189 Griffon In Depth
JavaOne 2009 BOF-5189 Griffon In DepthJavaOne 2009 BOF-5189 Griffon In Depth
JavaOne 2009 BOF-5189 Griffon In Depth
 
Dost.jar and fo.jar
Dost.jar and fo.jarDost.jar and fo.jar
Dost.jar and fo.jar
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malware
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
 
Creating a modern web application using Symfony API Platform, ReactJS and Red...
Creating a modern web application using Symfony API Platform, ReactJS and Red...Creating a modern web application using Symfony API Platform, ReactJS and Red...
Creating a modern web application using Symfony API Platform, ReactJS and Red...
 
Real World Android Akka
Real World Android AkkaReal World Android Akka
Real World Android Akka
 
Android cameraoverview
Android cameraoverviewAndroid cameraoverview
Android cameraoverview
 

Recently uploaded

7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf
Enterprise Wired
 
Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
Aurora Consulting
 
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdfWhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
ArgaBisma
 
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Bert Blevins
 
Best Programming Language for Civil Engineers
Best Programming Language for Civil EngineersBest Programming Language for Civil Engineers
Best Programming Language for Civil Engineers
Awais Yaseen
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
KAMAL CHOUDHARY
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
Eric D. Schabell
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
Research Directions for Cross Reality Interfaces
Research Directions for Cross Reality InterfacesResearch Directions for Cross Reality Interfaces
Research Directions for Cross Reality Interfaces
Mark Billinghurst
 
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionAdvanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Bert Blevins
 
The Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU CampusesThe Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU Campuses
Larry Smarr
 
Manual | Product | Research Presentation
Manual | Product | Research PresentationManual | Product | Research Presentation
Manual | Product | Research Presentation
welrejdoall
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
What's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptxWhat's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptx
Stephanie Beckett
 
Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024
BookNet Canada
 
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...
Erasmo Purificato
 
Mitigating the Impact of State Management in Cloud Stream Processing Systems
Mitigating the Impact of State Management in Cloud Stream Processing SystemsMitigating the Impact of State Management in Cloud Stream Processing Systems
Mitigating the Impact of State Management in Cloud Stream Processing Systems
ScyllaDB
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
ishalveerrandhawa1
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
Password Rotation in 2024 is still Relevant
Password Rotation in 2024 is still RelevantPassword Rotation in 2024 is still Relevant
Password Rotation in 2024 is still Relevant
Bert Blevins
 

Recently uploaded (20)

7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf
 
Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
 
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdfWhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
 
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
 
Best Programming Language for Civil Engineers
Best Programming Language for Civil EngineersBest Programming Language for Civil Engineers
Best Programming Language for Civil Engineers
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
Research Directions for Cross Reality Interfaces
Research Directions for Cross Reality InterfacesResearch Directions for Cross Reality Interfaces
Research Directions for Cross Reality Interfaces
 
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionAdvanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
 
The Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU CampusesThe Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU Campuses
 
Manual | Product | Research Presentation
Manual | Product | Research PresentationManual | Product | Research Presentation
Manual | Product | Research Presentation
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
What's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptxWhat's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptx
 
Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024
 
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...
 
Mitigating the Impact of State Management in Cloud Stream Processing Systems
Mitigating the Impact of State Management in Cloud Stream Processing SystemsMitigating the Impact of State Management in Cloud Stream Processing Systems
Mitigating the Impact of State Management in Cloud Stream Processing Systems
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
Password Rotation in 2024 is still Relevant
Password Rotation in 2024 is still RelevantPassword Rotation in 2024 is still Relevant
Password Rotation in 2024 is still Relevant
 

Introduction to Dynamic Analysis of Android Application

  • 1. Introduction  to  Dynamic  Analysis   of  Android  Application   using  DroidBox Kun  Yang                          kelwya@gmail.com  
  • 2. What  is  Dynamic  Analysis? •  Dynamic  program  analysis  is  the  analysis  of   computer  so=ware  that  is  performed  by   execuAng  programs  built  from  that  so=ware   system  on  a  real  or  virtual  processor.  
  • 3. Why  Dynamic  Analysis? •  Dynamic  analysis  is  precise   •  Overcome  AnA-­‐reverse-­‐engineering   •  As  fast  as  program  execuAon  
  • 4. How  to  do  Dynamic  Analysis? •  Techniques   –  System  hooking –  Dynamic  Taint  Analysis   –  InstrumentaAon   •  Levels   –  ApplicaAon  Framework/Java  level   –  NaAve  library  level   –  Kernel/Driver  level   –  Emulator/QEMU  level  
  • 5. Android  Architecture QEMU  Based  Emulator
  • 6. What  is  DroidBox? •  DroidBox  =  Dynamic  Taint  Analysis  +  Hooking   (Both  are  in  applicaAon  framework  level)   •  Monitoring  AcAons   –  InformaAon  leaks   –  Network  IO  and  File  IO   –  Cryptography  operaAons   –  SMS  and  Phone  calls  
  • 11. How  to  use  DroidBox? 1.  Install  Android  SDK   2.  Install  pylab  and  matplotlib   3.  Download  DroidBox  package   4.  Setup  a  new  AVD  targeAng  Android  2.1   5.  ./startemu.sh  <AVD  name>   6.  ./droidbox.sh  <sample.apk>
  • 13. How  to  Improve  DroidBox? •  PorAng  DroidBox  to  Android  2.3   –  TaintDroid  has  been  ported  to  Android  2.3   •  APK  instrumentaAon(*)   –  PorAng  is  cumbersome   •  InteracAve  analysis  log   •  Cloud  Service
  • 14. PorAng  Logs dalvik  patch   vm/interp/Taint.h    Changed  TAINT_HISTORY  to  TAINT_BROWSER    Added  value  definiAons  of  some  taint  tags   vm/naAve/dalvik_system_Taint.c    Changed  all  the  log  tags  from  TaintLog  to  DroidBox    Added  an  argument  of  random  value  to  funcAon  Dalvik_dalvik_system_Taint_logPathFromFd  to  match  FdAccess  log  and  FileRW  log,  which  can  tell  what  file  is  being  read  or  wriien    (*)Excluded  some  file  path  started  with  “/dev/pts”,  “/system”,  “/data/app”  and  “/proc/”  which  is  legal    (*)Found  a  bug  in  TaintDroid  for  Android  2.3  that  will  make  the  log  analyzer  fail  to  output  the  correct  final  report  of  FileRW  acAons(I  will  fix  the  bug  in  the  future)   libcore  patch   libcore/crypto/src/main/java/javax/crypto/Cipher.java    Added  a  field  key  to  track  encrypAon  and  decrypAon  keys    Hacked  the  funcAon  init  to  save  encrypAon  and  decrypAon  keys    Hooked  the  funcAon  doFinal  to  log  cryptography  informaAon   libcore/crypto/src/main/java/javax/crypto/spec/SecretKeySpec.java    Modified  the  constructor  of  SecretKeySpec    Added  a  funcAon  getKey  for  other  module  to  log  with   libcore/dalvik/src/main/java/dalvik/system/DexClassLoader.java    Hooked  the  constructor  of  DexClassLoader  to  monitor  dynamic  load  and  execuAon   libcore/dalvik/src/main/java/dalvik/system/Taint.java    Added  and  changed  value  definiAons  of  some  taint  tags  as  we  did  in  Taint.h    Added  a  helper  funcAon  toHex  for  logging    Modified  declaraAon  of  naAve  funcAon  logPathFromFd     libcore/luni/src/main/java/java/io/FileDescriptor.java    Added  3  fields  to  FileDescriptor:  port,  id  and  readBuffer,  which  will  help  to  track.    Hacked  constructor  for  tracking    libcore/luni/src/main/java/java/uAl/ProperAes.java    Set  the  property  Keep-­‐Alive  to  false  by  default  to  avoid  socket  reuse   libcore/luni/src/main/java/org/apache/harmony/luni/plaporm/OSFileSystem.java    Hooked  the  funcAons  read  and  write  to  log  file  operaAons  with  help  of  modified  logPathFromFd    libcore/luni/src/main/java/org/apache/harmony/luni/plaporm/OSNetworkSystem.java    Replaced  the  funcAon  getHostAddress  with  getHostName    Added  taint  sinks  or  logging  in  the  funcAons  connect/connectNonBlocking/send/wirte/sendUrgentData    (*)Many  Network  IO  funcAons  such  as  read  in  Android  2.1  are  moved  to  naAve  code  in  Android  2.3  so  I  did  logging  with  naAve  LOGW  funcAon  in   org_apache_harmony_luni_plaporm_OSNetworkSystem.cpp   libcore/security/src/main/java/java/security/MessageDigest.java    Added  2  fields  to  MessageDigest:  taintTrack  and  taintTag,  which  will  help  to  track    IniAalized  the  two  new  fields  in  the  constructor    Hooked  the  funcAon  digest  to  log   libcore/security/src/main/java/org/apache/harmony/security/PrivateKeyImpl.java   libcore/security/src/main/java/org/apache/harmony/security/provider/crypto/DSAPrivateKeyImpl.java   libcore/security/src/main/java/org/apache/harmony/security/provider/crypto/DSAPublicKeyImpl.java   libcore/security/src/main/java/org/apache/harmony/security/PublicKeyImpl.java   libcore/security/src/main/java/org/apache/harmony/security/x509/X509PublicKey.java    Added  a  funcAon  getKey  to  these  classes  for  other  module  to  log  with   libcore/security/src/main/java/org/bouncycastle/jce/    (*)JCE  library  was  not  found  in  source  code  of  Android  2.3   framework/base  patch   api/current.xml    AutomaAcally  generated  using  the  command:  make  update-­‐api   core/java/android/app/AcAvity.java    Captured  the  phone  call  acAon  in  the  funcAon  startAcAvity   core/java/android/app/ContextImpl.java    Added  taint  sources  in  the  funcAon  getInstalledApplica7on   core/java/android/content/ContentResolver.java    Taint  sources  were  added  by  official  team  of  TaintDroid  in  version  2.3  in  the  funcAon  query   Changed  TAINT_HISTORY  to  TAINT_BROWSER    (*)Instead  of  adding  argument  in  CursorWrapperInner  funcAon  to  log,  DroidBox  for  Android  2.1  also  added  taint  sources  here  by  modifing  the  CursorWrapperInner  funcAon  and  the  constructor  of  class    CursorWrapper,  in  the  Android  2.3  I  chose  the  method  of  TaintDroid  team  which  is  a  liile  easier   core/java/android/content/ContextWrapper.java    Added  hook  in  the  funcAon  startService  to  log   telephony/java/android/telephony/SmsManager.java    Add  hooks  in  sendTextMessage  to  log   telephony/java/android/telephony/TelephonyManager.java    Add  hooks  in  getDeviceId  and  getSubscriberId  to  log   telephony/java/com/android/internal/telephony/PhoneSubInfo.java    Changed  the  return  values  of  getDeviceId  and  getSubscriberId  from  hardcoded  values  to  real  value  to  prevent  emulator  evasion  
  • 15. How  to  do  InstrumentaAon? •  bytecode  or  IR?   •  I  chose  smali.
  • 16. What  is  smali? •  smali  is  an  IR(Intermediate  RepresentaAon)  of   Dalvik  Bytecode   •  The  syntax  is  loosely  based  on  Jasmin’s  syntax   –  Jasmin  is  an  assembler/IR  for  the  Java  Virtual   Machine   •  smali/baksmali  is  an  assembler/disassembler   for  the  dex  format  used  by  Dalvik  
  • 17. smali  types Basic  types: Classes/Objects:   Lpackage/name/ObjectName   V void   (package.name.ObjectName)   Z   boolean   Ljava/lang/String   B   byte   (java.lang.String)   S   short     C   char   Arrays:   I   int   [I  (int[])     [[I  =  int[][],  [[[I  =  int[][][]   J   long  (64  bits)     F   float   Arrays  of  objects:   D   double  (64  bits)   [Ljava/lang/String  (an  array  of   Strings)  
  • 18. smali  methods&fields •  Methods:  Lpackage/name/ObjectName;-­‐>MethodName(III)Z            Example:            method(I[[IILjava/lang/String;[Ljava/lang/Object;)Ljava/lang/String;                is  equivalent  to  :            String  method(int,  int[][],  int,  String,  Object[])   •  Fields:  Lpackage/name/ObjectName;-­‐>FieldName:Ljava/lang/String;
  • 20. APKIL:  APK  InstrumentaAon  Library •  Current  Work   –  Parsed  smali  files  into  tree  structure   –  Implemented  some  instrumentaAon  API  for   Monitoring  Android  API  specified   •  Future  Work   –  Add  more  flexible  and  richer  instrumentaAon  API  
  • 22. References   •  Android  source:  hip://source.android.com   •  DroidBox:  hip://code.google.com/p/ droidbox/   •  TaintDroid:  hip://appanalysis.org/   •  smali:  hip://code.google.com/p/smali/   •  DroidBox  Improvements:  hip:// www.honeynet.org/gsoc/slot11   •  APKIL:  hip://github.com/kelwin/apkil  
  • 23. Q&A