IntelliDroid

IntelliDroid is an analysis tool for Android applications that extracts call paths leading to specific behavior and executes these paths precisely during run time. When given a set of targeted behaviors, the static analysis component traverses the application's call graph to find paths to these behaviors. It also extracts path constraints, which are used to determine the input values that can trigger these paths. The dynamic component takes the extracted paths/constraints and injects the input values into the Android device, triggering the targeted behaviors.

For further details, please see our paper and slides (NDSS 2016).

Components

• Framework Analysis
• App Analysis
• Dynamic Client

Framework Analysis

The 'FrameworkAnalysis' performs static analysis to generate constraints for the Android framework. We currently provide the output framework constraints so that they can be added to the application constraints produced by the 'AppAnalysis' component.

App Analysis

The 'AppAnalysis' directory holds the code that generate constraints for Android applications.

Contents:

_{¹ We have made slight changes to WALA's call graph generation to improve IntelliDroid's performance. The modified source code can be found here.}

Building and running

This project uses the Gradle build system. Output files are located in the build/ directory. The gradlew script is a wrapper for machines that do not have Gradle already installed. If your development machine already contains Gradle, you can use your own installation by replacing ./gradlew with gradle in the commands below. A network connection is required when compiling the code for the first time so that Gradle can automatically download dependencies.

The included Android framework files in the android directory were compiled using JDK 1.6 but the apktool used in the preprocessing scripts require JDK 1.7. We recommend using JDK 1.7, as that seems to work best. If necessary, you can replace the files in the android directory to try different versions of AOSP or JDK.

Preprocessing APK files:

The target APK file to be analyzed should first be preprocessed using the scripts in the preprocess folder. The resulting directory (containing the APK file and the extracted resources) can then be passed to the static analysis.

The preprocessing scripts uses Apktool and Dare to extract the APK package. You can use your own extraction tools, but you may have to modify the app analysis code so that IntelliDroid can find the bytecode and manifest files for a given application.

./preprocess/PreprocessAPK.sh <APK file>
./preprocess/PreprocessDataset.sh <directory of APK files>

To build:

./gradlew build  

To build and run:

./IntelliDroidAppAnalysis -o <output directory> <preprocessed app directory>

To see other command-line options, run:

./IntelliDroidAppAnalysis --help

The output directory is used to store the app info JSON file and the Z3 constraint files. If not specified, these files will be stored in ./pathOutput. The output files are used by the IntelliDroidDynamicClient tool to identify the call paths and to generate the input data to trigger these paths.

The appInfo.json and constraintX_X.py files produced in the output directory are necessary for the dynamic client, but are not very readable. The -y flag can be used to obtain a more readable (but output-heavy) version of the path/constraint results (printed in stdout).

Dynamic Client

The 'DynamicClient' directory contains the python program that communicates with the Android device and sends the inputs that trigger the desired events.

Setting up the environment

The program expects that an Android device or emulator is connected to the system. This device must be running the custom Android OS containing IntelliDroidService (which interprets the commands this program sends and does the actual event invocation). The DynamicClient program will automatically connect to the device via a socket on port tcp:12348. The adb tool will be used to set up the connection and run certain commands, and it should be reachable from PATH (this can be done by adding the Android SDK tools directory to the PATH variable or by setting up the AOSP build environment prior to running the DynamicClient.

In addition, the DynamicClient uses the Z3 constraint solver via its Python API (z3-py). The instructions to build and install Z3 with Python bindings are available here.

Patching IntelliDroidService

The custom Android OS used by IntelliDroid is provided as a series of diff files that can be applied to the base AOSP source tree. IntelliDroid is currently implemented for Android 4.3 (AOSP branch android-4.3_r1). Please refer to the AOSP documentation for instructions on how to download and build Android.

Once you have downloaded and compiled the correct AOSP version, you can apply the IntelliDroid patches, which are located in the androidPatches directory. The patch.sh and unpatch.sh files are provided to help automate this process. After patching, rebuild AOSP (we've found that you might have to run make twice; otherwise, certain files on the emulator become inconsistent). You may also need to run make update-api along with make. Once built, you can use logcat to verify that the IntelliDroidService class is started as a system service when the device boots.

To apply patches:

cd androidPatches
./patch.sh <path to AOSP directory>

Running

To run:

./IntelliDroidDynamicClient.py

Commands:

HELP (get description of commands)
INSTALL <APK file>
START <directory to app information, generated by IntelliDroidAppAnalysis>
TRIGGER <call path ID to trigger, as specified in appInfo.json>
EXECUTE <command to send to IntelliDroidService>¹
INFO <info requested from IntelliDroidService>¹
CLOSE
KILL

_{¹ These commands are for debugging purposes only. You should only use these if you know the exact parameters that IntelliDroidService expects.}

TaintDroid Integration

Integration with TaintDroid is fairly straightforward. For the 'AppAnalysis' component, use the -t flag to specify a different list of targeted methods (i.e. the provided taintdroidTargets.txt file).

./IntelliDroidAppAnalysis -t taintdroidTargets.txt <preprocessed app directory>

On the dynamic side, follow the instructions here to download and build TaintDroid for Android 4.3. Once you have verified that your build of TaintDroid works, apply the patches in DynamicClient/androidPatches in the same way as you would for unmodified AOSP.

Contact

IntelliDroid was initially developed as a Master's thesis project by Michelle Wong at the University of Toronto, supervised by Dr. David Lie.

For any inquiries, please contact:

• Michelle Wong ([email protected])

The following have contributed code to IntelliDroid:

• Michelle Wong
• Dr. David Lie
• Mariana D'Angelo
• Peter Sun

License

IntelliDroid is released under the MIT License.