# Android class shadowing scanner

Detect if an Android application is in a situation that may lead to class spoofing.

This is the code used to survey in-the-wild applications in chapter 4 of the thesis 'The Woes of Android Reverse Engineering: from Large Scale Analysis to Dynamic Deobfuscation', by Jean-Marie Mineau.

## Dependencies

You need [apktool](https://github.com/iBotPeaches/Apktool/commits/main/) to compare the smali bytecode of the applications.
Put `apktool.jar` in the same folder as `run.sh`.
To run apktool, you also need java installed (`openjdk version "17.0.17"` shoud work).

You need an [androzoo](https://androzoo.uni.lu/) API key and [latest_with-added-date.csv.gz](https://androzoo.uni.lu/static/lists/latest_with-added-date.csv.gz).
Put it in `./ZOO_KEY`, in the same folder as `run.sh`.

You need 

You need `python3` installed (`3.13` should work).

## Running the Experiment

The experiment run in 4 steps.

The first one is run with `bash scan.sh` which download the applications from androzoo and check the classes definitions for shadowing.
Make sure to wait for the 20 workers to finish before running the next steps. This can take some time.

The next step is run with `bash digest.sh`, it will store the result in a sqlite database.

The next step is run with `bash check_smali.sh`, it will analyze the smali of the shadowing/shadowed methods in the applications that have them. Make sure to wait for all the workers to finish before running the next steps. This can take some time.

The last step analyze the results and is run with `bash datamine.sh`.

In the end, the data used in chapter 4 of the thesis is stored in `app-2023.out/out_data/`

## File Location

The default location of files can be changed by edition the variable in `setup.sh` (make sur the variable are the same time you run a script, e.g. avoid `mktemp` in `setup.sh`).