24 lines
1.5 KiB
Typst
24 lines
1.5 KiB
Typst
#import "../lib.typ": epigraph, ART, APK, ie, highlight-block
|
|
#import "X_var.typ": nbapk
|
|
|
|
= Class Loaders in the Middle: Confusing Android Static Analysers <sec:cl>
|
|
|
|
#epigraph("Esmerelda Weatherwax, Wyrd Sisters, Terry Pratchett")[Things that try to look like things often do look more like things than things.]
|
|
|
|
#align(center, highlight-block(inset: 15pt, width: 75%, block(align(left)[
|
|
The dynamic linking and loading of the different classes by the #ART is a complex task that can eventually be exploited by an attacker.
|
|
In particular, if the developer adds a class whose name collides with the name of a class of the Android operating system or another class in the application, they may confuse a reverse engineer in charge of studying such an application.
|
|
In this chapter, we explore the consequences of those collisions.
|
|
We highlight three attacks that we call shadow attacks because the class implementation that a reverser would find shadows a second implementation with a higher priority.
|
|
In particular, we show that a static analysis tools used by a reverser choose the shadow implementation for most of the evaluated tools, and outputs a wrong result.
|
|
In a dataset of #nbapk applications, we also investigate whether shadow attacks are used in the wild and show that, most of the time, there is no malicious behavior behind them.
|
|
])))
|
|
|
|
|
|
#include("0_intro.typ")
|
|
#include("1_related_work.typ")
|
|
#include("2_classloading.typ")
|
|
#include("3_obfuscation.typ")
|
|
#include("4_in_the_wild.typ")
|
|
#include("5_ttv.typ")
|
|
#include("6_conclusion.typ")
|