TAINT_BROWSER Added value definiAons of some taint tags vm/naAve/dalvik_system_Taint.c Changed all the log tags from TaintLog to DroidBox Added an argument of random value to funcAon Dalvik_dalvik_system_Taint_logPathFromFd to match FdAccess log and FileRW log, which can tell what file is being read or wrigen (*)Excluded some file path started with “/dev/pts”, “/system”, “/data/app” and “/proc/” which is legal (*)Found a bug in TaintDroid for Android 2.3 that will make the log analyzer fail to output the correct final report of FileRW acAons(I will fix the bug in the future) libcore patch libcore/crypto/src/main/java/javax/crypto/Cipher.java Added a field key to track encrypAon and decrypAon keys Hacked the funcAon init to save encrypAon and decrypAon keys Hooked the funcAon doFinal to log cryptography informaAon libcore/crypto/src/main/java/javax/crypto/spec/SecretKeySpec.java Modified the constructor of SecretKeySpec Added a funcAon getKey for other module to log with libcore/dalvik/src/main/java/dalvik/system/DexClassLoader.java Hooked the constructor of DexClassLoader to monitor dynamic load and execuAon libcore/dalvik/src/main/java/dalvik/system/Taint.java Added and changed value definiAons of some taint tags as we did in Taint.h Added a helper funcAon toHex for logging Modified declaraAon of naAve funcAon logPathFromFd libcore/luni/src/main/java/java/io/FileDescriptor.java Added 3 fields to FileDescriptor: port, id and readBuffer, which will help to track. Hacked constructor for tracking libcore/luni/src/main/java/java/uAl/ProperAes.java Set the property Keep-‐Alive to false by default to avoid socket reuse libcore/luni/src/main/java/org/apache/harmony/luni/planorm/OSFileSystem.java Hooked the funcAons read and write to log file operaAons with help of modified logPathFromFd libcore/luni/src/main/java/org/apache/harmony/luni/planorm/OSNetworkSystem.java Replaced the funcAon getHostAddress with getHostName Added taint sinks or logging in the funcAons connect/connectNonBlocking/send/wirte/sendUrgentData (*)Many Network IO funcAons such as read in Android 2.1 are moved to naAve code in Android 2.3 so I did logging with naAve LOGW funcAon in org_apache_harmony_luni_planorm_OSNetworkSystem.cpp libcore/security/src/main/java/java/security/MessageDigest.java Added 2 fields to MessageDigest: taintTrack and taintTag, which will help to track IniAalized the two new fields in the constructor Hooked the funcAon digest to log libcore/security/src/main/java/org/apache/harmony/security/PrivateKeyImpl.java libcore/security/src/main/java/org/apache/harmony/security/provider/crypto/DSAPrivateKeyImpl.java libcore/security/src/main/java/org/apache/harmony/security/provider/crypto/DSAPublicKeyImpl.java libcore/security/src/main/java/org/apache/harmony/security/PublicKeyImpl.java libcore/security/src/main/java/org/apache/harmony/security/x509/X509PublicKey.java Added a funcAon getKey to these classes for other module to log with libcore/security/src/main/java/org/bouncycastle/jce/ (*)JCE library was not found in source code of Android 2.3 framework/base patch api/current.xml AutomaAcally generated using the command: make update-‐api core/java/android/app/AcAvity.java Captured the phone call acAon in the funcAon startAcAvity core/java/android/app/ContextImpl.java Added taint sources in the funcAon getInstalledApplica.on core/java/android/content/ContentResolver.java Taint sources were added by official team of TaintDroid in version 2.3 in the funcAon query Changed TAINT_HISTORY to TAINT_BROWSER (*)Instead of adding argument in CursorWrapperInner funcAon to log, DroidBox for Android 2.1 also added taint sources here by modifing the CursorWrapperInner funcAon and the constructor of class CursorWrapper, in the Android 2.3 I chose the method of TaintDroid team which is a ligle easier core/java/android/content/ContextWrapper.java Added hook in the funcAon startService to log telephony/java/android/telephony/SmsManager.java Add hooks in sendTextMessage to log telephony/java/android/telephony/TelephonyManager.java Add hooks in getDeviceId and getSubscriberId to log telephony/java/com/android/internal/telephony/PhoneSubInfo.java Changed the return values of getDeviceId and getSubscriberId from hardcoded values to real value to prevent emulator evasion