This commit is contained in:
parent
de9674f09c
commit
96b8d24b29
GPG key ID:
B66AEEDA9B645AD2
13 changed files with 26 additions and 24 deletions
|
|
@ -1,4 +1,4 @@
|
|||
#import "../lib.typ": eg, num, APK, JAR, AXML, ART, SDK, JNI, NDK, DEX, XML, API, ZIP, paragraph
|
||||
#import "../lib.typ": eg, num, APK, JAR, AXML, ART, SDK, JNI, NDK, DEX, XML, API, ZIP, paragraph, midskip
|
||||
#import "../lib.typ": todo, jfl-note
|
||||
|
||||
=== Android <sec:bg-android>
|
||||
|
|
@ -165,7 +165,7 @@ Reflection is not limited to bytecode that has been dynamically loaded: it can b
|
|||
Because the `ClassLoader` objects are only used when loading bytecode dynamically or when using reflection, it is often forgotten that the #ART uses class loaders constantly behind the scene, allowing classes from the application and platform classes to cohabit seamlessly.
|
||||
]
|
||||
|
||||
#v(2em)
|
||||
#midskip
|
||||
|
||||
In this subsection, we presented the most notable specificities of the Android ecosystem.
|
||||
In the next section, we will continue with the various tools available for an Android reverse engineer.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#import "../lib.typ": APK, IDE, SDK, DEX, ADB, ART, eg, XML, AXML, API, paragraph
|
||||
#import "../lib.typ": APK, IDE, SDK, DEX, ADB, ART, eg, XML, AXML, API, paragraph, midskip
|
||||
#import "../lib.typ": jfl-note, todo
|
||||
|
||||
=== Reverse Engineering Tools <sec:bg-tools>
|
||||
|
|
@ -85,7 +85,7 @@ The main drawback of using Frida is that it is a known tool, easily detected by
|
|||
Malware might implement countermeasures that avoid running malicious payloads if Frida is detected.
|
||||
]
|
||||
|
||||
#v(2em)
|
||||
#midskip
|
||||
|
||||
Those tools are quite useful for manual operations.
|
||||
However, considering the complexity of modern Android applications, it might take a lot of work for a reverse engineer to analyse one application.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#import "../lib.typ": APK, etal, ART, SDK, DEX, eg,
|
||||
#import "../lib.typ": APK, etal, ART, SDK, DEX, eg, midskip
|
||||
#import "../lib.typ": todo, jm-note, jfl-note
|
||||
#import "@preview/diagraph:0.3.5": raw-render
|
||||
|
||||
|
|
@ -143,6 +143,6 @@ However, static analysis tools must overcome many challenges when analysing Andr
|
|||
|
||||
#todo[Ca serait bien de souligner Dyn Code Load et Reflection]
|
||||
|
||||
#v(2em)
|
||||
#midskip
|
||||
|
||||
With the bases of Android application analysis in mind, we can now examine our problem statements further.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#import "../lib.typ": APK, etal, ART, SDK, DEX, eg, ie, pb1, pb1-text
|
||||
#import "../lib.typ": APK, etal, ART, SDK, DEX, eg, ie, pb1, pb1-text, midskip
|
||||
#import "../lib.typ": todo, jm-note, jfl-note
|
||||
#import "@preview/diagraph:0.3.5": raw-render
|
||||
|
||||
|
|
@ -144,7 +144,7 @@ ReproDroid@pauckAndroidTaintAnalysis2018
|
|||
DroidBench@Arzt2014a
|
||||
*/
|
||||
|
||||
#v(2em)
|
||||
#midskip
|
||||
|
||||
To summarise, Li #etal made a systematic literature review of static analysis for Android that listed 27 open-sourced tools.
|
||||
However, they did not test those tools.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#import "../lib.typ": SDK, API, API, DEX, pb2, pb2-text, etal, APIs, ie
|
||||
#import "../lib.typ": SDK, API, API, DEX, pb2, pb2-text, etal, APIs, ie, midskip
|
||||
#import "../lib.typ": todo
|
||||
|
||||
=== Android Class Loading <sec:bg-soa-cl>
|
||||
|
|
@ -53,7 +53,7 @@ More recently, He #etal~@he_systematic_2023 did a systematic study of hidden ser
|
|||
They studied how the hidden #API can be used to bypass Android security restrictions and found that although Google countermeasures are effective, they need to be implemented inside the system services and not the hidden #API due to the lack of in-app privilege isolation: the framework code is in the same process as the user code, meaning any restriction in the framework can be bypassed by the user.
|
||||
Unfortunately, those two contributions do not explore further the consequences of the use of hidden #APIs for a reverse engineer.
|
||||
|
||||
#v(2em)
|
||||
#midskip
|
||||
|
||||
In conclusion, class loading mechanisms have been studied carefully in the context of the Java language.
|
||||
However, the same cannot be said about Android, whose implementation diverges significantly from classic Java Virtual Machines.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#import "../lib.typ": APK, etal, ART, SDK, eg, DEX, eg, pb3, pb3-text
|
||||
#import "../lib.typ": APK, etal, ART, SDK, eg, DEX, eg, pb3, pb3-text, midskip
|
||||
#import "../lib.typ": todo, jm-note, jfl-note
|
||||
|
||||
=== Allowing Static Analysis Tools to Analyse Obfuscated Application <sec:bg-soa-th>
|
||||
|
|
@ -81,7 +81,7 @@ Those cases are quite common; being able to solve those without resorting to dyn
|
|||
On the other hand, COAL will struggle to solve cases with complex string manipulation and is simply not able to handle cases that rely on external data (#eg downloaded from the internet at runtime).
|
||||
Likewise, this can only access code loaded dynamically if the code was present inside the application without any kind of obfuscation (#eg a #DEX file in the assets of the application can be analysed, but not if it is ciphered).
|
||||
|
||||
#v(2em)
|
||||
#midskip
|
||||
|
||||
Instrumenting applications to encode the result of an analysis as a unified representation has been explored before.
|
||||
It has been used by tools like AppSpear and DexLego to expose heavily obfuscated bytecode collected dynamically.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue