-
Notifications
You must be signed in to change notification settings - Fork 45
Inter Application Analysis
lilicoding edited this page Dec 1, 2014
·
6 revisions
IccTA is dedicated to perform inter-component static taint analysis. Since the mechanism of inter-app communication (IAC) for Android is as same as the mechanism of inter-component communication (ICC). Thus, we perform a tool called ApkCombiner, which combines multiple Android apps to one to enable IccTA to perform inter-app analysis.
In order to perform IAC analysis, the users can following the next steps.
-
- Running Epicc for each application that you wish to analyse. In this step, Epicc will also automatically build IAC links.
-
- Running ApkCombiner to combine apps.
-
- Running IccTA on the combined app of step 2) to detect IAC leaks. It is not recommended to run Epicc on the combined app instead of running each original app. Because currently ApkCombiner is really an naive approach which may cause conflicts.
Now, we show an example to illustrate how IccTA is going to detect IAC leak.
Test case: InterAppCommunication_sendBroadcast1 of DroidBench.
# step 1) Running Epicc on InterAppCommunication_sendbroadcast1_source.apk and InterAppCommunication_sendbroadcast1_sink.apk separately.
./runEpicc.sh $DroidBench/apk/InterAppCommunication_sendBroadcast1/InterAppCommunication_sendbroadcast1_source.apk
./runEpicc.sh $DroidBench/apk/InterAppCommunication_sendBroadcast1/InterAppCommunication_sendbroadcast1_sink.apk
# step 2) Running ApkCombiner
./runApkCombiner.sh $DroidBench/apk/InterAppCommunication_sendBroadcast1/InterAppCommunication_sendbroadcast1_source.apk $DroidBench/apk/InterAppCommunication_sendBroadcast1/InterAppCommunication_sendbroadcast1_sink.apk
# step 3) Running IccTA on the combined app
# The above command will generate a new app called lu.uni.serval.iac_sendbroadcast1_source-ac-lu.uni.serval.iac_sendbroadcast1_sink.apk.
java -jar IccTA.jar -apkPath lu.uni.serval.iac_sendbroadcast1_source-ac-lu.uni.serval.iac_sendbroadcast1_sink.apk -androidJars /Users/li.li/Project/github/android-platforms -iccProvider epicc -intentMatchLevel 3 -enableDB
Afterwords, IccTA will yield the next result.
The sink staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("DroidBench", $r3) in method <lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void onReceive(android.content.Context,android.content.Intent)> was called with values from the following sources:
- - $r3 = virtualinvoke $r5.<android.telephony.TelephonyManager: java.lang.String getDeviceId()>() on line 17 in method <lu.uni.serval.iac_sendbroadcast1_source.OutFlowActivity: void onCreate(android.os.Bundle)>
- on Path:
- -> <lu.uni.serval.iac_sendbroadcast1_source.OutFlowActivity: void onCreate(android.os.Bundle)>
- -> $r3 = virtualinvoke $r5.<android.telephony.TelephonyManager: java.lang.String getDeviceId()>()
- -> <lu.uni.serval.iac_sendbroadcast1_source.OutFlowActivity: void onCreate(android.os.Bundle)>
- -> virtualinvoke $r2.<android.content.Intent: android.content.Intent putExtra(java.lang.String,java.lang.String)>("DroidBench", $r3)
- -> <lu.uni.serval.iac_sendbroadcast1_source.OutFlowActivity: void onCreate(android.os.Bundle)>
- -> staticinvoke <IpcSC: void redirector0(android.content.Intent)>($r2)
- -> <IpcSC: void redirector0(android.content.Intent)>
- -> specialinvoke $r1.<lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void <init>(android.content.Intent)>($r0)
- -> <lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void <init>(android.content.Intent)>
- -> <lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: android.content.Intent intent_for_ipc> = $r1
- -> <lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void dummyMainMethod()>
- -> $r1 = <lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: android.content.Intent intent_for_ipc>
- -> <lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void dummyMainMethod()>
- -> virtualinvoke $r0.<lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void onReceive(android.content.Context,android.content.Intent)>(null, $r1)
- -> <lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void onReceive(android.content.Context,android.content.Intent)>
- -> $r3 = virtualinvoke $r2.<android.content.Intent: java.lang.String getStringExtra(java.lang.String)>("DroidBench")
- -> <lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void onReceive(android.content.Context,android.content.Intent)>
- -> staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("DroidBench", $r3)