Security profiling for blackbox Android
Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues.
Introspy-Android comprises two separate components: a GUI interface to configure hooks, filters and options and a Cydia Substrate extension containing the core of the tool functionalities, including hooks and analysis of potential issues.
Introspy-Android can be installed on a rooted device and dynamically configured to hook security-sensitive Android APIs at run-time. The tool records all the relevant API calls made by an application, including function calls, arguments and return values. It then perform tests for security issues in real time and persists the results in a database and in the Android logging system.
The Introspy-Analyzer can then be used to analyse a database generated by the tracer, and generate HTML reports containing the list of logged function calls as well as a list of potential vulnerabilities affecting the application.
See http://isecpartners.github.io/introspy-android/ for a quick introduction.
Install Introspy-Android Core.apk on a device where Cydia Substrate is installed with:
adb install Introspy-Android Core.apk
Install Introspy-Android Config.apk:
adb install Introspy-Android Config.apk
The Instrospy-Android Config application displays apps the Core application will hook and the various filters and options applied to them. This application need root access (you can use supersu to give temporary root access to the application). The changes are dynamic and you do not need to restard the applications for them to be effective.
It should be noted that the Core application can work on a device running Android 2.3 and above whereas the Config application can only run from Android 3.0 on due to the use of specific APIs. In order to test applications on older SDKs without the GUI by only using the Core application, you can simply create a file named "introspy.config" containing filters you want to hook in the directory of the applications you want to test. Example:
adb shell su -c echo "GENERAL CRYPTO, KEY, HASH, FS, IPC, PREF, URI, WEBVIEW" > /data/data/com.YOUR_APP_NAME/introspy.config
adb uninstall com.introspy.core adb uninstall com.introspy.config
This tool has not been tested on all versions of Android. If the tool does not work on your version, please send us your error logs:
adb logcat -s "InstrospyError"
If due to the error the phone does not boot anymore, you can still connect to it via adb and simply remove the extension to fix it with:
adb shell su -c rm /data/app/com.introspy.core*
If you still have issues, it may be due to Cydia Substrate itself, which may not be compatible with your device? To uninstall it you can do the following (from Cydia Substrate's website): "By holding down the volume-up button on your device you can disable Substrate while it is attempting to load modifications (such as while it is turning on and starting); this will give you an opportunity to use Google Play to uninstall things that might be broken."
Relevant data including potential issues related to the APIs hooked is dumped in a database and in the system logs. You can do the following commands to display them:
Display the complete logs:
adb logcat -s "Introspy"
Display potential issues:
adb logcat -s "Introspy:W"
Use the Android version of the analyzer (TBD, it will be pushed to a different github repository soon) to generate an HTML formatted report.
Checking the "STACK TRACES" option within the Config tool will dump a relevant call stack (comprising of 3 calls) for the selected filters.
Most users should just download and install the pre-compiled packages. However, if you want to modify the tool's functionality you will have to clone the source repository and build the packages yourself.
git clone https://github.com/iSECPartners/introspy-android.git
Then you need to add the Cydia Substrate SDK to eclipse. See here for instructions on how to do so: http://www.cydiasubstrate.com/id/73e45fe5-4525-4de7-ac14-6016652cc1b8/.
Adding hooks is simple and can be done within the com.introspy.custom_hooks module. See the pre-filled example in the code (CustomHookList.java and HookExampleImpl.java) and make sure to enable the "CUSTOM HOOKS" option in the Introspy Config application. See http://isecpartners.github.io/Introspy-Android/ for more instructions.
Notes: Some methods simply cannot be hooked due to potential issues in Cydia Substrate and the hook may just crash the process. Also, make sure to not try hooking abstract methods as it just throws an exception that is never caught by Cydia Substrate (and will just crash the process). You need to hook their implementation, which is sometimes not documented but can be easily found in the Android code base (for example: android.content.Context is implemented in android.content.ContextImpl).