APKInspector -Static Analysis of Android Applications

Student: Yuan Tian

Mentor: Cong Zheng

Backup Mentor: Anthony

 Kara Jianwei 

08/22/2012

• Background of Android Security• APKInspecctor

- Overview

- Features

- Demo

Introduction

Background

Android Security Scheme

• Linux process sandbox

• Permission based component interaction

• Permission labels defined in

AndroidManifest.xml

• Applications need to be signed

• Install time security decisions

Permissions

• Normal

android.permission.VIBRATE

com.android.alarm.permission.SET_ALARM

• Dangerous

android.permission.SEND_SMS

android.permission.CALL_PHONE

• Signature

android.permission.FORCE_STOP_PACKAGES

android.permission.INJECT_EVENTS

• SignatureOrSystem

android.permission.ACCESS_USB

android.permission.SET_TIME

Component Interaction

• Intents : IPC• Android Manifest.xml: Application’s policy

file• Component

• Activity: Define screens

• Service: Background processing

• Broadcast Receiver: Mailbox for messages from other applications

• Content Provider: Relational database for sharing information

Application Signature

• Applications are self-signed; no CA required

• Signature define persistence– Detect if the application has changed – Application update

• Signatures define authorship– Establish trust between applications – Run in same Linux ID

Malware Type

Abuse of Telephony Services

Root Exploitation

Sensitive Information Exposure

Package Repacking

Update attack

Analysis Techniques• Ded• smali/baksmali• Apktool• androguard

APKInspector Overview

• Integrate the previous static analysis tools and provides graphic features which bring convenience to the malware analysis

• Features:• CFG • Call Graph• Static Instrumentation• Permission Analysis• Dalvik codes• Smali codes• Java codes • APK Information

Improved Features

• Improvement of UI

• Adding of more features to assist the analysis of malware

• Bug Fix

Easy to use

Powerful Analysis

Flexible

UI Improvement• Automatically installation• Fine-grained Graph View to Source

View• Call Graph• Navigation• Better display of Control Flow Graph

New Analysis Features• Reverse the Code with Ded for Java A

nalysis• Static Instrumentation• Combine Permission Analysis• Add Support for odex

Bug Fix

Usage of APKInspector

• Installation with Shell Script• Analysis of APK

Usage of APKInspector

• Filter of Malicious behavior by permission analysis

Usage of APKInspector

• Smali code

Usage of APKInspector

• Static Code Instrumentation

Usage of APKInspector

• Dalvik Bytecode

Usage of APKInspector

• Control Flow Graph

Usage of APKInspector

• Java

Usage of APKInspector

• Navigation

Back & Forward

Current Method displayed

• Call Graph

Usage of APKInspector

Q&A

Thanks!

tianyuan186@gmail.com