In app search 1
Download as PPTX, PDF0 likes409 views
This document discusses analyzing mobile apps through static and dynamic analysis. It describes extracting URLs from apps through crawling, monitoring HTTP requests using tcpdump, monitoring the binder process, hooking into APIs, and tagging data flows. It outlines building an app signature database, API modeling by decompiling apps and monitoring critical API calls, and automatically testing apps in sandboxed environments. The goal is to accurately understand app features, web API usage, software quality, and behavior through these technical methods. Milestones outlined include developing URL extraction, crawling, binder monitoring, an automatic testing environment, and an app signature database.
In app search 1
- 1. in-App Search 1 Let’s talk about app
- 2. “…They want a quarter-inch hole!” Content in Apps !!!
- 3. WE KNOW LITTLE ABOUT APPS
- 4. Cloud apps
- 5. How cloud apps work? Request Response Phone Servers
- 6. How local apps work?
- 7. WHAT’S APPS REQUEST IS WHAT CUSTOM WANT TO GET
- 8. CONTENT = API REQUEST
- 9. CONTENT = HTTP REQUEST
- 10. Map<Request,Content>? URLs Sites Content
- 11. Map<Request,Content>? • http://api.renren.com URL • http://search.twitter.com/search.json • https://api.rememberthemilk.com/services • http://www.renren.com Site • http://www.twitter.com • https://www.rememberthemilk.com • SNS Content • Twitter • Tada list
- 12. Penetrated ! Request Response Phone Servers
- 13. What we will get? • Accurate feature list for apps – Not self description – Not reviews – Real operations • Web API usage (used to be a part of anti-virus co.) – Developers (advice, protection, copycat…) – Tech trends – Tricks (virus, Ads, hack…) • Software quality
- 14. Start diving!
- 15. Focus on • ApkReader • URL / Crawling • HTTP request • Binder • API hook • Data flow tagging • API modeling All above are for lab env.
- 16. ApkReader • .dex • .arsc • AndroidManifest.xml • Certification • File last modify time • Native code • Layout (.xml) • Images (.icon .jpg .png)
- 17. .dex (ApkReader) • Recognize (header: dex0) • Decompile • Constant strings
- 18. .arsc (ApkReader) • Key-value • Diff between ver. • Similarity between apps (copycat / translation)
- 19. AndroidManifest.xml (ApkReader) • Hidden info – Channel – Ad account – Malicious • Exported component – Feature – Attack • Trend – Tech – Business
- 20. Certification (ApkReader) • Black/White list • Certificate reputation • <App, Business> • Managed certification – Protection from copycat / stealer
- 21. File last modify time (ApkReader) • Dev. activity • Dev. cycle
- 22. Native code (ApkReader) • ARM (compatibility) • Find game • Abnormal behavior
- 23. Layout / Images (ApkReader) • User interaction • App similarity
- 24. Focus on • ApkReader • URL / Crawling • HTTP request • Binder • API hook • Data flow tagging • API modeling All above are for lab env.
- 25. URL / Crawling • Decompile .dex (apktool, dex2jar) • Crawl 2-3 depths for each domain • Find out feature claims (Traditional field for web search engine) • Editors
- 26. HTTP request • Tcpdump (even https) • Sandbox (Droidbox) • Compare field names, content with keywords
- 27. Binder • Wiretap ( data = mmap(…) ) • API hook • Intent – Intent fuzzer – Intent sniffer
- 28. API hook • Detection: strace, dexdep… • Action: Source code (Not even a real hook)
- 29. Data flow tagging • Tag data in memory William Enck, Peter Gilbert, Byung-Gon Chun. TaintDroid: An Information- Flow Tracking System for Realtime Privacy Monitoring on Smartphones. 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI’10)
- 30. API modeling • Prepare: Decompile dex to source code (apktool) • Cook – <API, feature> – Atom method (BASE64…) – Rebuild apk and monitor critical API invokation – API invoke speed and hotpoint (Software quality) – Monkey (Software quality)
- 31. Summary • Static analyze – Dex2jar / apktool /dexdump… – Apk reader – API modeling • Dynamic analyze – Droidbox – Tcpdump – Binder monitor – Api hook – Automatic testing env. – User’s interaction (hard)
- 32. Milestones • URL extractor & 2 depths crawling (10-15) Binder monitor (11-1) • Automatic testing env. + Tcpdump (11-1) • Datastore (11-15) • Sandbox env. (11-15) • Apk signature database (12-1)
- 33. Questions? Next
- 34. in-App Search 2 Toward content directly