Project 11 - Improve our Android application sandbox (DroidBox)

Student: Kun Yang
Primary mentor: Patrik Lantz
Backup mentor: Felix Leder, Anthony Desnos, Jianwei Zhuge

Google Melange: http://www.google-melange.com/gsoc/project/google/gsoc2012/kelwya/23001

Project Overview:
DroidBox is developed by Patrik Lantz to offer dynamic analysis of Android applications. Suspicious behavior and information leakage are logged by running Android application in an instrumented emulator. This project aims at extending functions and usability of DroidBox by porting it to Android 2.3, provide more API trace and interactive visualization, achieve automated analysis in the cloud and discover/prevent emulator evasion techniques. A new apk repackaging method will also be introduced to make DroidBox easier to maintain and port.

Project Plan:

  • April 23 - May20: Community Bonding Period
  • May 21 - May 27: Porting DroidBox to support Android 2.3 based on current work and adding more detailed API trace.
  • May 28 - June 3: Discovering, testing and preventing some emulator evasion techniques caused by some unsupported features of Android emulator.
  • June 4 - July 3: Implementing APK repackaging method.
  • July 4 - July 8: Preparing for the midterm evaluation.
  • July 9 - July 15: Testing and Improving APK repackaging method.
  • July 16 - July 28: Using html5, javascript, svg and other techniques to achieve interactive visualization of analysis result on web.
  • July 29 - Aug 12: Moving automated analysis to the cloud combining the interactive visualization.
  • Aug 13 - Aug 24 : Testing and improving documentation. Then preparing for the final evaluation.
  • August 31st - Public code uploaded and available to Google

Project Deliverables:

  • A new version of DroidBox with new features metioned above
  • A cloud service to monitor execution and generate analysis report of apk samples automatically
  • Project Source Code Repository:
    https://github.com/kelwin

    Student Weekly Blog: https://www.honeynet.or/blog/344

    Project Useful Links:

    DroidBox
    TaintDroid
    TaintDroid OSDI '10 paper
    Dalvik opcodes

    Project Updates:

    May 27

    Done last week:
    • Pushed my previous work to my github
    • Fixed File IO tracing and log truncation bugs
    • Tried to add network read tracing but came across problems
    Planned next week:
    • Fix the network read tracing bug
    • Test more samples to ensure system stability

    June 10

    Done last 2 weeks:
    • Added codes in native code to fix network read bug
    • Fixed a bug to distinguish between UDP and TCP
    • Started to test new system images for DroidBox
    Planned next week:
    • Design and code the framework of APK repackaging module

    June 17

    Done last week:
    • Postponed emulator evasion techniques to the end
    • Evaluated different methods and existing tools
    • Read some papers related
    Planned next week:
    • Start to implement APK repackaging module based on androguard API

    June 24

    Done last week:
    • Wrote some code based on androguard and found the amount of work is too big
    • Decided to develop a python module APKIL(APK Instrumentation Library) based on smali
    • Wrote codes to parse smali files into tree-based structure
    Planned next week:
    • Design and implement some instrumentation API
    • Give some easy example of patching

    July 2

    Done last week:
    • Implemented some instrumentation API
    • Tested to hook one API successfully
    Planned next week:
    • Write some code to generate API monitor methods automatically
    • Select a collection of sensitive API as default configuration

    July 17

    Done last weeks:
    • Finished mid-term evaluation
    • Implemented code to instrument any invoke-virtual API
    • Successfully monitored file IO APIs in DroidBoxTests.apk
    Planned next week:
    • Continue to select a collection of sensitive API as default configuration
    • Think of ways to present logs well

    July 31

    Done last weeks:
    • Instrumented smali code directly(previous version is to generate java code and instrument compiled bytecode) to do monitoring
    • Implemented code to monitor constructor methods
    • Implemented code to monitor static methods
    • Adjusted the output log in a more clean format
    Planned next weeks:
    • Started to design and implement web interface to achieve dynamic analysis using instrumentation

    August 13

    Done last weeks:
    • Built API database with inheritance relationship from different levels of android.jar
    • Detected and added monitoring of inherited method
    • Found some rare grammer of smali and fixed the corresponding bugs of parser
    Planned next weeks:
    • Adjust code for basic release
    • Prepare materials for final evaluations
    • Try to make simple demo of web interface