#import "../lib.typ": todo, APK, etal, ART, SDK, eg, jm-note, jfl-note == Dynamic Analysis As we said previously, static analysis is not capable of analysing everything. Some situation, like reflection of dynamic code loading, require a different approach: dynamic analysis. With dynamic analysis, the application is actually executed and the reverse engineer obserces its behavior. Monitoring the behavior can be achieved by various strategies: observing the filesystem, the display screen, the process memory, the kernel, ... Depending on the chosen level of observation, it can be technically difficult. A basic example of dynamic analysis is presented by Bernardi #etal~@bernardi_dynamic_2019: the logs generated by `strace` is used to list the system calls generated in response to an event to determine if an application is malicious or not. More advanced methods are more intrusive and require modifing either the #APK, the Android framework, runtime, or kernel. TaintDroid~@Enck2010 for example modify the Dalvik Virtual Machine (the predecessor of the #ART) to track the data flow of an application at runtime, while AndroBlare~@Andriatsimandefitra2012 @andriatsimandefitra_detection_2015 try to compute the taint flow by hooking system calls using a Linux Security Module. DexHunter~@zhang2015dexhunter and AppSpear~@yang_appspear_2015 also patch the Dalvik Virtual Machine/#ART, this time to collect bytecode loaded dynamically. Modifying the Android framwork, runtime or kernel is possible thanks to the Android project beeing open source, however this is a delicate operation that require to revise a patch for each new version of Android. Thus, a common issue faced by tools that took this approach is that they are stuck with a specific version of Android. Some sandboxes limit this issue by using dynamic binary instrumentation, like DroidHook~@cui_droidhook_2023, based the Xposed framework, or CamoDroid~@faghihi_camodroid_2022, based on Frida. This approche is a lot less stealthy than patching Android, but is generally easier to setup and is easier to port to new Android version. Another known challenge when analysing an application dynamically is the code coverage: if some part of the application is not executed, it cannot be annalysed. Considering that Android applications are meant to interact with a user, this can become problematic for automatic analysis. The Monkey tool developed by Google is one of the most used solution~@sutter_dynamic_2024. It sends a random streams of events the phone without tracking the state of the application. More advance tools statically analyse the application to model in order to improve the exploration. Sapienz~@mao_sapienz_2016 and Stoat~@su_guided_2017 uses this technique to improve application testing. GroddDroid~@abraham_grodddroid_2015 has the same approach but detect statically suspicious sections of code to target, and will interact with the application to target those code section. Unfortuntely, exploring the application entirely is not always possible, as some applications will try to detect is they are in a sandbox environnement (#eg if they are in an emmulator, or if Frida is present in memory) and will refuse to run some sections of code if this is the case. Ruggia #etal~@ruggia_unmasking_2024 make a list of evasion techniques. They propose a new sandbox, DroidDungeon, that contrary to other sandboxes like DroidScope@droidscope180237 or CopperDroid@Tam2015, strongly emphasizes on resiliance against evasion mechanism. A common objectif of dynamic analysis is to collect bytecode loaded dynamically and reflections information. Like we said earlier, DexHunter~@zhang2015dexhunter and AppSpear~@yang_appspear_2015 that by instrumenting the Android Runtime. Qu #etal~@qu_dydroid_2017 developped DyDroid, an hybrid framework using dynamic analysis to intercept dynamic code loading and static analysis to determine the nature of the loaded code. They used DyDroid to make an autit of the use of dynamic code loading in applications from the Google Play store in 2016. It resulted that dynamic code loading was mostly related to mobile advertisement, and that the code loading originated from a third party library included in the application, rather than the code of the application developper itself. Similarly, StaDynA~@zhauniarovichStaDynAAddressingProblem2015 is a framework that generate a call graph statically, then use dynamic analysis to analyse dynamic code loading and reflection calls to complete this call graph. The issue with those approach is that they are only compatible with their own subsequent analysis. For instance, StaDynA only provide the call graph, and cannot be used as is to improve the capacity of Flowdroid. This is unfortunate, has the reverse engineer next step will depend on the context: not beeing able to reuse the result of a previous analysis with other #jm-note[non-specialise][erf, non-specific? non-adapted?] tools limit greatly their options. AppSpear has an interesting solution to this issue: the code it intercept is repackage inside a new #APK file that Android analysis tools should be able to analyze. In the next section, we will explore further the contributions that take this approache of using actual application to encode its result. //#todo[RealDroid sandbox bases on modified ART?] //#todo[force execution?]