android_class_shadowing_scanner/README.md

Android class shadowing scanner

Detect if an Android application is in a situation that may lead to class spoofing.

This is the code used to survey in-the-wild applications in chapter 4 of the thesis 'The Woes of Android Reverse Engineering: from Large Scale Analysis to Dynamic Deobfuscation', by Jean-Marie Mineau.

Dependencies

You need apktool to compare the smali bytecode of the applications. Put apktool.jar in the same folder as run.sh. To run apktool, you also need java installed (openjdk version "17.0.17" shoud work).

You need an androzoo API key and latest_with-added-date.csv.gz. Put it in ./ZOO_KEY, in the same folder as run.sh.

You need

You need python3 installed (3.13 should work).

Running the Experiment

The experiment run in 4 steps.

The first one is run with bash scan.sh which download the applications from androzoo and check the classes definitions for shadowing. Make sure to wait for all the workers to finish before running the next steps. This can take some time.

The next step is run with bash digest.sh, it will store the result in a sqlite database.

The next step is run with bash check_smali.sh, it will analyze the smali of the shadowing/shadowed methods in the applications that have them. Make sure to wait for all the workers to finish before running the next steps. This can take some time.

The last step analyze the results and is run with bash datamine.sh.

In the end, the data used in chapter 4 of the thesis is stored in app-2023.out/out_data/

File Location

The default location of files can be changed by edition the variable in setup.sh (make sur the variable are the same time you run a script, e.g. avoid mktemp in setup.sh).