This document discusses improving the Android Application Sandbox (DroidBox) by porting it to support Android 2.3, repackaging APKs to monitor API calls, and developing a new APIMonitor tool. The APIMonitor intercepts API calls by parsing smali code and outputting parameter and return values. It builds an API database to detect inherited methods. Future work includes classifying sensitive APIs and moving analysis to the cloud.
Italy vs Albania Italy Euro 2024 squad Luciano Spalletti's full team ahead of...
Improving DroidBox
1. Improving our Android
Application Sandbox
(DroidBox)
Student: Kun Yang <kelwya@gmail.com>
ORG: The Honeynet Project
Primary mentor: Patrik Lantz
Felix Leder
Backup mentor: Anthony Desnos
Jianwei Zhuge
2. Outline
• Goals
• Current
design
and
work
• Demos
• Future
works
3. Goals
• Port
DroidBox
to
support
Android
2.3
• Repackage
APK
to
monitor
API
in
runAme
to
avoid
endless
upgrade
of
DroidBox
4. DroidBox
for
Android
2.3
• Based
on
TaintDroid
2.3[1]
• Fixed
some
bugs
– output
string
processing
related
bug
– network
file
descriptor
idenAfier
related
bug
• Hooked
sensiAve
API
like
previous
version
• Adjusted
some
hooking
– Moved
IO
hooking
to
naAve
code
layer
• Released
beta
version
in
project
page
5. DroidBox APIMonitor
• Based
on
smali/baksmali
• Parsed
smali
into
tree
structure
• Intercepted
different
kinds
of
methods
– Instance
method
– Constructor
– StaAc
method
• Output
parameters
and
return
value
of
different
types
– Basic
type:
String.valueOf(type)
– Object:
object.toString()
– Array:
Java
ReflecAon
• Build
API
database
to
detect
methods
inherited
from
API
• Developed
APK
instrumentaAon
library(APKIL)
6. APIMonitor Architecture
API
API List
Database
NEW
APK APIMonitor
APK
Real
Emulators
Devices
Logs ADB
8. Method
Interception
• Use
the
similar
framework
design
of
I-‐ARM-‐
Droid[2]
• Basic
workflow
example:
– Intercept
methods
in
class
Ljava/net/URL
1. Define
new
class
Ldroidbox/java/net/URL
2. Implement
corresponding
staAc
methods
to
monitor
(do
the
real
API
call
in
it)
3. Replace
API
calls
with
new
methods
17. Build API Database
• Build
API
Database
to
detect
methods
inherited
from
API
• How
to
find
connecAons
of
classes
in
API
– find
all
class
names:
jar
–f
android.jar
– find
all
method
signatures
in
a
class:
javap
–
bootclasspath
android.jar
–s
classname
18. How to use APIMonitor
usage:
apimonitor.py
[-‐h]
[-‐o,
-‐-‐output
dirpath]
[-‐a,
-‐-‐api
apilist]
[-‐v,
-‐-‐version]
filename
posiAonal
arguments:
filename
path
of
APK
file
opAonal
arguments:
-‐h,
-‐-‐help
show
this
help
message
and
exit
-‐o,
-‐-‐output
dirpath
output
directory
-‐a,
-‐-‐api
apilist
config
file
of
API
list
-‐v,
-‐-‐version
show
program's
version
number
and
exit
19. Specify APIs in Config File
$./apimonitor.py
–a
config_file
–o
outdir
sample.apk
• API
configuraAon
file
– One
method:
Method
signature
without
return
value
• Landroid/content/Intent;-‐><init>(Ljava/lang/String;)
– All
methods
with
same
name:
Method
signature
without
parameters
and
return
value
• Landroid/content/Intent;-‐><init>
– All
methods
of
the
same
Class:
Class
signature
• Landroid/content/Intent;
24. Real-‐world
malware
• fishbot
– It
was
found
in
China
– Goal:
Find
C&C
server
URL
which
is
encrypted
in
bytecode
C&C
Server
address
25. Future
works
• Collect
and
classify
sensiAve
Android
APIs
for
different
use
of
analysis
• Move
APIMonitor
to
the
cloud(under
developing)
• Do
deep
analysis
on
monitoring
logs
to
dig
more
informaAon
• Modify
dalvik
to
support
dynamic
instrumentaAon
26. References
• [1]
TaintDroid:
RealAme
Privacy
Monitoring
on
Smartphones
• [2]
I-‐ARM-‐Droid:A
RewriAng
Framework
for
In-‐
App
Reference
Monitors
for
Android
ApplicaAons