Fraunhofer-Gesellschaft

Publica

Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Static analysis on native android libraries for detecting implementation flaws and reflective API calls

Statische Analyse von nativen Android Bibliotheken zur Detektion von Implementierungsfehlern und reflektiven API Aufrufen
 
: Roskosch, Philipp
: Waidner, Michael

Darmstadt, 2016, 94 S.
Darmstadt, TU, Master Thesis, 2016
Englisch
Master Thesis
Fraunhofer SIT ()

Abstract
Recently, the number of available Android apps in Googles Play Store reached 2 million. Usually, Android apps are written in Java, which is translated into bytecode. Using the Android NDK it is possible to write libraries in C/C++. These libraries are compiled to native code and are executed directly on the CPU of a smartphone. Latest research has shown that native code usage was increasing in recent years. While a lot of analysis techniques exist for analyzing apps written in Java concerning their behavior, there is no tool available for statically investigating native libraries in the same way. The few existing dynamic analysis frameworks are not capable of investigating entire native libraries. At first, an evaluation about the usage of banned functions1 in native Android libraries is performed. It is shown that even if these functions should not be used, they are used frequently. A manual investigation for stating whether these functions introduce vulnerabilities into the libraries is time consuming. Therefore, this thesis introduces an approach for an automated detection of vulnerabilities in native libraries compiled for ARM processors without available source code. Malware uses native libraries to obfuscate malicious behavior. Thereby, sensitive information could be gathered by accessing the Android API with reflective API calls. To ease security testing, an approach for statically detecting reflective API calls in native libraries is presented in this thesis. Two proofs of concept are implemented in order to demonstrate the functioning of the analysis approaches. The first proof of concept focuses on detecting format string vulnerabilities. For detecting these vulnerabilities, libraries are disassembled and the disassembly is searched for invocations of format string functions. Parts of the disassembly calling format string function are extracted and their execution is simulated. Thereby, the used format string is determined and it is checked whether the implementation is potentially vulnerable or not. The second proof of concept detects reflective API calls. The disassembly is scanned for invocations of JNI methods required to perform reflective API calls. The detection of those methods is enabled by an algorithm developed in this thesis. With the aid of this knowledge, parts of a binary are extracted and their execution is simulated. By investigating referenced strings, the determination of used classes and methods is enabled and the used APIs can be stated. The evaluation shows that the presented approaches detect a lot of correctly used format string functions. Besides, a large amount of reflected API calls has been revealed. This shows that static analysis for detecting implementation flaws and determining reflective API calls on native Android libraries is possible.

: http://publica.fraunhofer.de/dokumente/N-469940.html