Dynamic Analysis of Android Apps

Dynamic Analysis of Android Apps

ANALYSIS CODE While the executables are sufficient for reproducing ourstudy results, we share the source code also so that (1) thetoolkit can becustomizedby interested readers to conductsimilar characterizations but with varied metrics, and (2)development of different dynamic analysis tools can befacilitated by reusing some of the components in the toolkit.The source directory (code) includes six components:•dynCG: a dynamic call graph construction and searchtool, which profiles all method calls of an app includingthose via reflection and in exception-handling constructs.•eventTracker: a profiler of system and user-interfaceevents occurred during an app execution.•intentTracker: a tracer of Intent objects carried byall exercised inter-component communications at runtime.•covTracker: a statement coverage tracker working onthe APK (without relying on the source code) of an app.•utils: various utilities for bytecode instrumentation andmanipulation, including a bytecode transformer that addsexception-handling constructs to specified methods.•reporters: a set of statistics calculators for computingcharacterization metrics from an app execution trace.All these components are based on Soot [2] using its JimpleIR. The first four can work as standalone tools and areextensible, whichdemonstratehow to readily write a dynamicanalysis tool using Soot and can be used ascode templatesfor that purpose. In particular, previous works that measuredstatement coverage for Android apps relied on source code ofthe apps. Theutilscomponent can be immediately reused forbuilding various Soot-based tools. A build file and all librariesrequired are included in the artifact package. Also included are scripts for running these tools, scripts for experimental dataanalysis, and various other helper scripts (used to download,install/uninstall, query, and launch APKs, etc.). CodeShopyy

DATASETStudy results.The data directory (data) includes the rawdata of our study along with the results presented in theresearch paper. The data on metrics in three dimensions(General/Structure,ICC, andSecurity) is placed in therespective folder. R scripts for producing final results fromthe raw data in each folder are included accordingly. Eachraw data file is explainedhere, and the purpose of each Rscript is explainedhere. A convenience scriptproduceall.shisincluded underdatafor processing all the raw data at once.Benchmark suites.Our study used two benchmark suites:a suite of 125 individual apps and a suite of 62 apppairs that actually communicate at runtime as quicklytriggered by random inputs from Monkey [4]. The firstsuite can be readily downloaded from Google Play usingour helper scripts. The list of these apps is included (indata/benchmarks/used-benig-apps-droidfax.txt).The second suite is even more worthy of sharing becausefinding a set of apps with dynamically communicating peersis not trivial. This suite is particularly useful for evaluatingan inter-app dynamic analysis for Android. We have notonly provided the pairs but also the statistics on the ICCsthat linked them at runtime in our study (as detailed indata/benchmarks/app-pair-statistics.html).Characterization metrics.We defined a set of 122 metricsin the three dimensions mentioned above. These metrics havebeen used for discovering new insights into the behavioraltraits of Android apps in our study. Furthermore, they havebeen utilized for developing advanced malware classifiers aswell (based on the behavioral profile, defined by these metrics,of benign apps versus malware) [5]. These metrics (detailedhere) can be used by others for understanding app behaviorsand reused for future studies and techniques.

 Dynamic Analysis of Android Apps

K. Tam, A. Feizollah, N. B. Anuar, R. Salleh, and L. Cavallaro, “Theevolution of Android malware and Android analysis techniques,”ACMComputing Surveys, vol. 49, no. 4, p. 76, 2017.[2] P. Lam, E. Bodden, O. Lhot ́ak, and L. Hendren, “Soot – a Java bytecodeoptimization framework,” inCetus Users and Compiler InfrastructureWorkshop, 2011, pp. 1–11.[3] H. Cai and B. Ryder, “Understanding Android application programmingand security: A dynamic study,” inProceedings of InternationalConference on Software Maintenance and Evolution, 2017.[4] Google, “Android Monkey,” http://developer.android.com/tools/help/monkey.html, 2015.[5] H. Cai, N. Meng, B. Ryder, and D. Yao, “Droidcat: Unified dynamic detection of Android

As Android continues to gain momentum in mobilecomputing, increasing research has been invested in analyzingAndroid apps. In particular, due to inherent limitations of staticanalysis (e.g., in dealing with dynamic language constructs andcode obfuscation), dynamic analysis has been recognized as analternative or complement [1]. However, in contrast to reusableutilities available for static analysis of Android apps (e.g., [2]),such utilities for dynamic analysis of apps are rare. To facilitateresearch based on dynamic app analysis, we share a set ofreusable and extensible artifacts that we have applied for ourrecent dynamic characterization study of Android apps [3].We show how these artifacts can be used to reproduce thestudy. Moreover, we briefly discuss how they can be reusedand extended for more applications. The artifact package alongwith details on setup and usage instructions is availablehere.The package consists of the analysis code and dataset used inthe study, and a VM for demonstration and replication


Leave a Reply

Your email address will not be published. Required fields are marked *