Quick Start of Using DroidRA - serval-snt-uni-lu/DroidRA GitHub Wiki

This page shows a quick start of launching DroidRA. To launch DroidRA is easy, it takes two parameters as input: 1) the path of a given Android app; and 2) an Android sdk.

java -Xmx8g -jar DroidRA.jar $APP_PATH $ANDROID_JAR_PATH

Case Study

Now we show a case study of using DroidRA to tame reflection for other static analysis approaches. The app we present in this case study is called Reflection3.apk, which is an app existing in the DroidBench repository.

mkdir workspace

//we download Reflection3.apk to the user space
java -Xmx8g -jar DroidRA.jar ~/Reflection3.apk ~/android-platforms/android-18/android.jar

DroidRA will output the following three files:

  • droidra_Reflection3.apk_de.ecspride_v1.txt //reflection result, cf. droidra_FILENAME_PACKAGENAME_VERSION.txt
  • refl.json //reflection result in structural format
  • workspace_boosted_apps/Reflection3.apk //the instrumented app version

The context of droidra_Reflection3.apk_de.ecspride_v1.txt is as follows:

de.ecspride.MainActivity/void onCreate(android.os.Bundle) : $r6 = virtualinvoke r0.<java.lang.Class: java.lang.reflect.Method getMethod(java.lang.String,java.lang.Class[])>("getImei", $r5)
    0 : [getImei]

de.ecspride.MainActivity/void onCreate(android.os.Bundle) : $r8 = virtualinvoke $r6.<java.lang.reflect.Method: java.lang.Object invoke(java.lang.Object,java.lang.Object[])>(r19, $r7)
    -1 : Value: 1 path values
  declaringClass_method=de.ecspride.ReflectiveClass, name_method=getImei, 


de.ecspride.MainActivity/void onCreate(android.os.Bundle) : r0 = staticinvoke <java.lang.Class: java.lang.Class forName(java.lang.String)>("de.ecspride.ReflectiveClass")
    0 : [de.ecspride.ReflectiveClass]

de.ecspride.MainActivity/void onCreate(android.os.Bundle) : r19 = virtualinvoke r0.<java.lang.Class: java.lang.Object newInstance()>()
    -1 : Value: 1 path values
  name_class=de.ecspride.ReflectiveClass, 


de.ecspride.MainActivity/void onCreate(android.os.Bundle) : r21 = virtualinvoke r0.<java.lang.Class: java.lang.reflect.Method getMethod(java.lang.String,java.lang.Class[])>("setImei", r20)
    0 : [setImei]

de.ecspride.MainActivity/void onCreate(android.os.Bundle) : virtualinvoke r21.<java.lang.reflect.Method: java.lang.Object invoke(java.lang.Object,java.lang.Object[])>(r19, r1)
    -1 : Value: 1 path values
  declaringClass_method=de.ecspride.ReflectiveClass, name_method=setImei,

The following execution log shows how the instrumented Jimple code looks like:

$r5 = staticinvoke <java.lang.Class: java.lang.Class forName(java.lang.String)>("de.ecspride.ReflectiveClass");

        $r2 = virtualinvoke $r5.<java.lang.Class: java.lang.Object newInstance()>();

        $i2 = staticinvoke <Alteration: int check(int)>(0);

        if 1 == $i2 goto label02;

        $r20 = new de.ecspride.ReflectiveClass;

        virtualinvoke $r20.<de.ecspride.ReflectiveClass: void <init>()>();

        $r2 = $r20;

     label02:
        $r6 = newarray (java.lang.Class)[1];

     label03:
        $r6[0] = class "java/lang/String";

        $r7 = virtualinvoke $r5.<java.lang.Class: java.lang.reflect.Method getMethod(java.lang.String,java.lang.Class[])>("setImei", $r6);

     label04:
        $r8 = newarray (java.lang.Object)[1];

     label05:
        $r8[0] = $r4;

        $r19 = $r2;

        virtualinvoke $r7.<java.lang.reflect.Method: java.lang.Object invoke(java.lang.Object,java.lang.Object[])>($r2, $r8);

        $i1 = staticinvoke <Alteration: int check(int)>(0);

        if 1 == $i1 goto label06;

        $r17 = $r8[0];

        $r18 = (java.lang.Object) $r17;

        virtualinvoke $r19.<de.ecspride.ReflectiveClass: void setImei(java.lang.String)>($r18);

We then send the instrumented app to IccTA, which now can report a data leak, where it previously cannot. The results of IccTA is:

<de.ecspride.MainActivity: void onCreate(android.os.Bundle)>\
     -> $r12 = virtualinvoke $r11.<android.telephony.TelephonyManager: java.lang.String getDeviceId()>()\
<de.ecspride.MainActivity: void onCreate(android.os.Bundle)>\
     -> $r16[0] = $r12\
<de.ecspride.MainActivity: void onCreate(android.os.Bundle)>\
     -> $r4 = $r16[0]\
<de.ecspride.MainActivity: void onCreate(android.os.Bundle)>\
     -> $r4 = (java.lang.Object) $r4\
<de.ecspride.MainActivity: void onCreate(android.os.Bundle)>\
     -> $r12 = (java.lang.String) $r4\
<de.ecspride.MainActivity: void onCreate(android.os.Bundle)>\
     -> virtualinvoke $r2.<de.ecspride.ReflectiveClass: void setImei(java.lang.String)>($r12)\
<de.ecspride.ReflectiveClass: void setImei(java.lang.String)>\
     -> $r0.<de.ecspride.ReflectiveClass: java.lang.String imei> = $r1\
<de.ecspride.ReflectiveClass: void setImei(java.lang.String)>\
     -> $r0 := @this: de.ecspride.ReflectiveClass\
<de.ecspride.MainActivity: void onCreate(android.os.Bundle)>\
     -> $r2 = (de.ecspride.ReflectiveClass) $r14\
<de.ecspride.MainActivity: void onCreate(android.os.Bundle)>\
     -> $r2 = (de.ecspride.ReflectiveClass) $r14\
<de.ecspride.MainActivity: void onCreate(android.os.Bundle)>\
     -> $r12 = virtualinvoke $r2.<de.ecspride.ReflectiveClass: java.lang.String getImei()>()\
<de.ecspride.ReflectiveClass: java.lang.String getImei()>\ 
     -> r1 = $r0.<de.ecspride.ReflectiveClass: java.lang.String imei>\
<de.ecspride.ReflectiveClass: java.lang.String getImei()>\ 
     -> return r1\
<de.ecspride.MainActivity: void onCreate(android.os.Bundle)>\
     -> $r4 = $r12\ 
<de.ecspride.MainActivity: void onCreate(android.os.Bundle)>\
     -> $r12 = (java.lang.String) $r4\
<de.ecspride.MainActivity: void onCreate(android.os.Bundle)>\
                 -> virtualinvoke $r17.<android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)>("+49 1234", null, $r12, null, null)}
Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️