#import "../lib.typ": todo, epigraph, eg, APK, jm-note = Introduction // https://youtu.be/si9iqF5uTFk?t=1512 #epigraph("Rear Admiral Grace Hopper")[If during the next 12 months any one of you says "but we have always done it that way", I will instantly materialize beside you and I will haunt you for 24 hours.] // De tout temps les hommes on fait des apps android ... Android is the most used mobile operating system since 2014, and since 2017, it even surpasses Windows all platforms combined#footnote[https://gs.statcounter.com/os-market-share#monthly-200901-202304]. The public adoption of Android is confirmed by application developers, with 1.3 millions apps available in the Google Play Store in 2014, and 3.5 millions apps available in 2017#footnote[https://www.statista.com/statistics/266210]. Its popularity makes Android a prime target for malware developers. Various applications have been shown to behave maliciously, from stealing personal informations~@shanSelfhidingBehaviorAndroid2018 to hijacking the phone computing ressources to mine cryptocurrency~@adjibi_devil_2022. Considering the importance of Android in the everyday live of so many people, Google, the company that develops Android, defined a very strong security model that addresses an extensive threat model~@mayrhofer_android_2021. This threat model goes as far as to consider that an adversarie can have physical access to an unlocked device (#eg an abusive partner, or a border control). // Americaaaaa On the device, this security model imply the sandboxing of each applications, with a system of permissions to allow the applications to perform potentially unwanted actions. For example, an applications cannot access the contact list without requesting the permission to the user first. Android keep improving its security version from version, be it by improving the sandboxing (#eg starting with Android 10, application can no longer access the clipboard if they are not focused) or safer default (#eg since Android 9, by default, all network connection must use TLS). // Android Bouncer, ca marche pas tres bien quand même ect ect (stralker ware?) /* * * * * Android securité explique a ma grand-mere * expliquer gentillement, montrer tout les angles de la securité: renforcer l'OS, detecter les malware, reverse * * c'est quoi le reverse? * arriver sur le probleme que les cas qui marchent pas sont souvant ignoré (chiffrer, tableau?) et fait a la main dans les cas * cause, pourquoi? * est ce qu'on peut essayer de reparer? * * * plan: chapitre, résumé un peu long des chapitres. */ #todo[developper "De tout temps les hommes "] #todo[Introduire problématique:] #todo[1) résulats trop bons sur des datasets faciles] #todo[2) facile a pieger: shadow attacks] #todo[3) savent pas gerer le chargement dyn et reflection] #[ #set heading(numbering: none, outlined: false, bookmarked: false) == Contributions The contributions of this thesis are the following: + We evaluate the reusability of Android static analysis tools published by the community: We rebuild the tools in their original environment as container images. With those containers, those tools are now readilly available capable of running either Docker of Singularity. We also tested those tools on a dataset of real-life applications balanced in order to have a significant number of applications with different caracteristics to assess which caracteristic impact the success of a tools. This work was presented at the ICSR 2024 conference~@rasta. + We model the default class loading behavior of Android. Based on this model, we defined a class of obfuscation technique that we called _shadow attacks_ where an class definition in an #APK shadows the actual class definition. We show that common state of the arts tools like Jadx or Flowdroid do not implement this model correctly and thus can fall for those shadow attacks. We surveilled a large number of rescent Android applications and found that applications with classes shadowing the actual definition do exists, those are the result of quirks in the #APK compilation process and not deliberate obfuscation attempts. This work was publish in the Digital Threats journal~@classloaderinthemiddle. #todo[update ref when not 'just published' anymore] + We propose an approach to allow static analysis tools to analyse application that perform dynamic code loading: We collect at runtime the bytecode dynamically loaded and the reflection calls informations, an patch the #APK file to perform those operation statically. Finally, we evaluate the impact this transformation has on the #jm-note[resiliance][wrong word?] of the tools we containerized previously. == Outline This dissertation is composed of 6 chapters. This introduction is the first chapter. It is followed by @sec:bg that gives background information about Android and the different analysis techniques targetting Android applications. The next 3 chapters are dedicated to the contributions of this thesis. First @sec:rasta studdies the reusability of static analysis tools. Next in @sec:cl, we model the default class loading algorithm used by Android and the show the consequences for reverse engineering tools that implement a wrong model. Then @sec:th presents an approach that allows for static analysis tools to analyse applications that load bytecode at runtime. Finally, @sec:conclusion summarizes the contributions of this thesis and opens perspectives for futur work. ]