Improving DroidBox

33b46802d1b3e009e6afacded0fd34df?s=47 Kun Yang
August 23, 2012

Improving DroidBox

Introduce New features of DroidBox: DroidBox for Android2.3 and APIMonitor.
Project is Supported by GSoC 2012 and The Honeynet Project.


Kun Yang

August 23, 2012


  1. 1.

    Improving our Android Application Sandbox (DroidBox) Student: Kun Yang <>

    ORG: The Honeynet Project Primary mentor: Patrik Lantz Backup mentor: Felix Leder Anthony Desnos Jianwei Zhuge
  2. 2.
  3. 3.

    Goals •  Port  DroidBox  to  support  Android  2.3   • 

    Repackage  APK  to  monitor  API  in  runAme  to   avoid  endless  upgrade  of  DroidBox
  4. 4.

    DroidBox  for  Android  2.3 •  Based  on  TaintDroid  2.3[1]  

    •  Fixed  some  bugs   – output  string  processing  related  bug   – network  file  descriptor  idenAfier  related  bug   •  Hooked  sensiAve  API  like  previous  version   •  Adjusted  some  hooking   – Moved  IO  hooking  to  naAve  code  layer   •  Released  beta  version  in  project  page
  5. 5.

    DroidBox APIMonitor •  Based  on  smali/baksmali   •  Parsed  smali

     into  tree  structure   •  Intercepted  different  kinds  of  methods   –  Instance  method   –  Constructor   –  StaAc  method   •  Output  parameters  and  return  value  of  different  types   –  Basic  type:  String.valueOf(type)   –  Object:  object.toString()   –  Array:  Java  ReflecAon   •  Build  API  database  to  detect  methods  inherited  from  API   •  Developed  APK  instrumentaAon  library(APKIL)  
  6. 8.

    Method  Interception •  Use  the  similar  framework  design  of  I-­‐ARM-­‐

    Droid[2]   •  Basic  workflow  example:   – Intercept  methods  in  class  Ljava/net/URL   1.  Define  new  class  Ldroidbox/java/net/URL   2.  Implement  corresponding  staAc  methods  to   monitor  (do  the  real  API  call  in  it)   3.  Replace  API  calls  with  new  methods
  7. 9.

    Intercept Instance Method Android API:  Ljava/net/URL;-­‐>openConnecAon()Ljava/net/ URLConnecAon;   Stub Method:

     staAc  Ldroidbox/java/net/URL;-­‐>openConnecAon (Ldroidbox/java/net/URL;)Ljava/net/URLConnecAon;   opcode: invoke-­‐virtual,  invoke-­‐super,  invoke-­‐interface(/range)  
  8. 10.

    Intercept Static Method Android API:   Landroid/net/Uri;-­‐>parse(Ljava/lang/String;)Landrod/ net/Uri   Stub

    Method:   staAc  Ldroidbox/android/net/Uri;-­‐>parse(Ljava/lang/ String;)Landrod/net/Uri   opcode: invoke-­‐staAc(/range)    
  9. 11.

    Intercept Constructor Android API:   Ljava/net/URL;-­‐><init>(Ljava/lang/String)V   Stub Method:  

    staAc  Ldroidbox/java/net/URL;-­‐>droidbox_cons(Ljava/ lang/String)Ljava/net/URL;   opcode: invoke-­‐direct(/range)   Does  it  always  work?  No!
  10. 13.

    Monitor Constructor We  can’t  intercept  constructors  by  replacing  them  with

     the  stub   methods.     Just  insert  new  method  droidbox_cons  for  monitoring.
  11. 14.

    Parameters Output •  Basic  Type   – String.valueOf(int)   – String.valueOf(long)  

    – String.valueOf(double)   – String.valueOf(fload)   – String.valueOf(short)   – String.valueOf(boolean)   – String.valueOf(byte)   – String.valueOf(char)
  12. 17.

    Build API Database •  Build  API  Database  to  detect  methods

      inherited  from  API   •  How  to  find  connecAons  of  classes  in  API   – find  all  class  names:  jar  –f  android.jar   – find  all  method  signatures  in  a  class:  javap  – bootclasspath  android.jar  –s  classname
  13. 18.

    How to use APIMonitor usage:  [-­‐h]  [-­‐o,  -­‐-­‐output  dirpath]

     [-­‐a,  -­‐-­‐api  apilist]  [-­‐v,  -­‐-­‐version]   filename     posiAonal  arguments:    filename                            path  of  APK  file   opAonal  arguments:    -­‐h,  -­‐-­‐help                        show  this  help  message  and  exit    -­‐o,  -­‐-­‐output  dirpath    output  directory    -­‐a,  -­‐-­‐api  apilist          config  file  of  API  list    -­‐v,  -­‐-­‐version                  show  program's  version  number  and  exit
  14. 19.

    Specify APIs in Config File  $./  –a  config_file  –o

     outdir  sample.apk •  API  configuraAon  file   –  One  method:  Method  signature  without  return  value   •  Landroid/content/Intent;-­‐><init>(Ljava/lang/String;)   –  All  methods  with  same  name:  Method  signature  without   parameters  and  return  value   •  Landroid/content/Intent;-­‐><init>   –  All  methods  of  the  same  Class:  Class  signature   •  Landroid/content/Intent;  
  15. 21.

    Demo logs •  APKILTests.apk   – Developed  to  test  APIMonitor  

    – Called  some  common  sensiAve  API  for  tesAng Get  IMEI/IMSI  &  MD5  hash
  16. 24.

    Real-­‐world  malware •  fishbot   – It  was  found  in  China

      – Goal:  Find  C&C  server  URL  which  is  encrypted  in   bytecode   C&C  Server  address
  17. 25.

    Future  works •  Collect  and  classify  sensiAve  Android  APIs  for

      different  use  of  analysis   •  Move  APIMonitor  to  the  cloud(under   developing)   •  Do  deep  analysis  on  monitoring  logs  to  dig   more  informaAon   •  Modify  dalvik  to  support  dynamic   instrumentaAon    
  18. 26.

    References •  [1]  TaintDroid:  RealAme  Privacy  Monitoring  on   Smartphones

      •  [2]  I-­‐ARM-­‐Droid:A  RewriAng  Framework  for  In-­‐ App  Reference  Monitors  for  Android   ApplicaAons   
  19. 27.

    Links •  Project  Page:  hkp:// droidbox   •  APIMonitor  Wiki:

     hkp:// droidbox/wiki/APIMonitor   •  APIMonitor  repo:  hkp:// apkil