integrate bg of rasta in bg section
All checks were successful
/ test_checkout (push) Successful in 1m15s

This commit is contained in:
Jean-Marie Mineau 2025-08-12 18:43:28 +02:00
parent 94d26973d3
commit 5e512b585a
Signed by: histausse
GPG key ID: B66AEEDA9B645AD2
11 changed files with 170 additions and 107 deletions

View file

@ -40,7 +40,21 @@ When used directly by ART, the classes are usually stored in an application file
#image(
"figs/classloaders-crop.svg",
width: 80%,
alt: ""
alt: "
A box diagram. The diagram is split into two; the right section is labeled Runtime.
On the left, there are 9 boxes. 3 are gray, labeled ClassLoader, SecureClassLoader, and URLClassLoader, and the other 6 are white: BootClassLoader, BaseDexClassLoader, DexClassLoader, InMemoryDexClassLoader, PathClassLoader, and DelegateLastClassLoader.
Arrows go from SecureClassLoader, BaseDexClassLoader, and BootClassLoader to ClassLoader,
from URLClassLoader to SecureClassLoader,
from DexClassLoader, InMemoryDexClassLoader, and PathClassLoader to BaseDexClassLoader,
and from DelegateLastClassLoader to PathClassLoader.
On the runtime side, there are 5 boxes: bootClassLoader, appClassLoader (multi dex), systemClassLoader,
Specific delegator with two delegates, X.
Arrows labeled delegate go from appClassLoader, systemClassLoader, and Specific delegator to bootClassLoader, and from Specific delegator to X.
bootClassLoader, appClassLoader, and systemClassLoader are grouped in a dotted box labeled Android default behavior.
Dotted lines labeled instance go across the central demarcation from appClassLoader to PathClassLoader, from systemClassLoader to PathClassLoader, and from Specific delegator to DelegateLastClassLoader.
Another dotted line labeled instance singleton goes from bootClassLoader to BootClassLoader.
"
)
gray -- Java-based, white -- Android-based
],
@ -115,7 +129,19 @@ We discuss in the next section how to obtain these classes from the emulator.
image(
"figs/architecture_SDK-crop.svg",
width: 80%,
alt: ""
alt: "
On the top right, a diagram of a web browser open at https//develoer.android.com, with the webpage reading: API documentation, SDK classes, and method descriptions.
The web browser is labelled Documentation.
On the bottom right, a box with the Android Studio logo (a blue pair of compasses in front of a green robot) is labeled 'Development Environment'.
It contains two boxes: Developer classes and android.jar, and the text Dev SDK classes in bold.
An arrow labeled API access goes from Developer classes to android.jar.
On the left, a diagram of a smartphone with the Android logo (a green robot) contains two boxes: Platform classes and APK files.
Platform classes contain the text 'boot.art: framework.jar + 24 .jar = Android SDK classes + Hidden classes'.
APK file is split in two, in the top part: Developer classes + some extra classes, and on the bottom part: Multi DEX.
An arrow labeled API access goes from APK file to Platform classes.
Another arrow goes from Developer environment to APK file.
"
),
caption: [Location of SDK classes during development and at runtime]
) <fig:cl-archisdk>

View file

@ -174,8 +174,6 @@ Regrettably, the documentation of `.is_android_api()` explains that the method i
This means that although those methods are useful, the only indication of the use of an #Asdk or #hidec is the fact that the class is not in the APK file.
Because of that, like for Apktool and Jadx, Androguard has no way to warn the reverser that the shadow of an #Asdk or #hidec is not the class used when running the application.
#todo[alt text androguard_call_graph]
#figure({
set align(center)
stack(dir: ltr,[
@ -183,7 +181,15 @@ Because of that, like for Apktool and Jadx, Androguard has no way to warn the re
image(
"figs/call_graph_expected.svg",
width: 45%,
alt: ""
alt: "
A box diagram.
Arrows goes from MainActivity.onCreate() to Activity.OnCreate() and Main.main(),
from Main.main() to Obfuscation.doSomething() to Main.bad(),
from another Obfuscation.doSomething() box to Main.good(),
from Main.bad() to Log.i() and from Main.bad() to Log.i().
There are two Obfuscation.doSomething(), the one pointed by Main.main() and that points to Main.bad() is white like the other boxes, the one without arrows pointed at and that points to Main.good() is gray.
"
),
supplement: [Subfigure],
caption: [Expected Call Graph]
@ -192,7 +198,14 @@ Because of that, like for Apktool and Jadx, Androguard has no way to warn the re
image(
"figs/call_graph_obf.svg",
width: 45%,
alt: ""
alt: "
A box diagram.
Arrows goes from MainActivity.onCreate() to Activity.OnCreate() and Main.main(),
from Main.main() to Obfuscation.doSomething() to Main.good(),
from another Obfuscation.doSomething() box to Main.bad(),
from Main.bad() to Log.i() and from Main.bad() to Log.i().
There are two boxes Obfuscation.doSomething(), the one pointed by Main.main() and that points to Main.good() is gray, the one without arrows pointed at and that points to bad is white like the other boxes.
"
),
supplement: [Subfigure],
caption: [Call Graph Computed by Androguard]

View file

@ -106,7 +106,16 @@ We investigate later in @sec:cl-malware the case of malicious applications.
image(
"figs/redef_sdk_relative_min_sdk.svg",
width: 100%,
alt: ""
alt: "
A bar graph.
The y-axis represents the number of classes, from 0 to over 40,000.
The x-axis represents the version number of the first SDK containing the class up to version 34.
The bars can have two possible colors: in red, the classes introduced before the Min SDK of their APK, and in green, the classes introduced after the Min SDK of their APK.
In practice, for one value of the x-axis, almost all bars have only one color: the bars before SDK 17 are red, and the ones after are green (except for SDK 24, which has a very small portion of red).
There are only 3 visible red bars, one for SDK version below or equal to 7 at around 30,000 classes, and two smaller ones around 5,000 classes at SDK 8 and 16.
There are more green bars. SDK 21 and 30 are around 20,000 classes, 23 is at 30,000, 31 at 35,000, 26, 28, 29 are at 40,000, and 24 is well over 40,000.
The remaining bars are between 0 and 5,000.
"
),
caption: [Redefined SDK classes, sorted by the first SDK they appeared in.]
)<fig:cl-classes_by_first_sdk>