#Concolic Analysis for Android (CAA)
The goal of this project is to provide a tool to allow concolic analysis of arbitrary black box Android APKs. The long term intention is for the analysis of APKs in order to detect malicious clones, but the tool stands on its own.
- Set up the VM
- Install Vagrant
- Go to the root directory of the repo (where this file is)
- Run "vagrant up" and wait for the machine to come online
- Run "vagrant ssh" to enter tphe virtual machine
- All included projects will be in "~/Workspace/" in the VM
- Needed tools should be all installed via puppet or vagrant scripts. No configuration there should be necessary.
Linux or possibly OSX only. Windows is not supported at this time. Hence, the management has provided a lovely Vagrant virtual machine.
- In the VM, navigate to "~/Workspace/AnalysisEngine"
- In the host OS, import "AnalysisEngine/AndroidAnalysisEngine/" as a maven project in the IDE of your choice. If this instruction is insufficient, please see Project Setup in Eclipse below.
- SSH into the vm ("vagrant ssh")
- Run "mvn package" in "AnalysisEngine/AndroidAnalysisEngine/"
- The jar and several folders will be created under "AnalysisEngine/AndroidAnalysisEngine/target/"
- Relevant folders to project: "configs/," "lib/," and "spawnsource/"
- Update "configs/config.properties" with the locations of the three tools (Java Pathfinder, ApkTools, and Dex2Jar). Locations should be to the containing directories and end in a slash (this one -> "/") See Helpful Notes for default tool locations
- Navigate to the app directory
- Run "java -jar $JARNAME -apk $PATH_TO_APK
- $JARNAME at this time is "CAA-1.0.0.jar"
- $PATH_TO_APK may include anywhere on the system running the app
- Wait a while (coffee time!)
- Once the app in finished, the results will be under "results" in the same directory, named "$APK_FILENAME.jpfout.txt"
- A good small test APK may be found here.
- All the tools are installed in "AnalysisEngine/tools/"
- Sometimes the app dislikes running from the target directory. In this case, move the created jar and directories up one level (to AnalysisEngine/AndroidAnalysisEngine/). This frequently helps. Make sure to check configs for correctness after.
- MAKE SURE YOU HAVE A JDK INSTALLED AND ON YOUR PATH
- This only should be an issue for running on local machines - the VM should have an appropriate JDK installed and configured
- Requires at least 1.7
- Please make sure your default JRE and default JRE are the same major version in the event of a major/minor conflict,
- Java Pathfinder requires some special setup, especially the site.properties - the VM setup takes care of this, but for local development this should become necessary. Instructions can be found here. Both the core and symbolic modules are required.
Development of the project is recommend to be done outside the provided Vagrant machine. At this time, ONLY Unix-like systems are supported (OSX and CentOS Linux are tested - BSD flavors and Haiku are not). If you do not have a Unix-like system available, uncomment the line config.vm.boot\_mode = :gui in the Vagrantfile and install Eclipse inside the VM. This is not recommended, but should be adequate enough. Be careful, because destroying the virtual machine means losing your Eclipse install.
- Clone this project locally
- Download and install the latest version of Eclipse for Java if you don't have a version already
- Launch Eclipse. You should see a window like the following:
- Click "Browse" and set your workspace to $LOCAL_REPO/AnalysisEngine, where $LOCAL_REPO is where this repo was cloned to. Click "Open" and then "Okay"
- You should see the following
- On the top menu bar, select "File" -> "Import" This screenshot shows OSX, but the flow is the same for other OS's
- On the window that pops up, select "Maven" -> "Existing Maven Projects"
- You should see the following
- On the next window, select "Browse" in the top right, select the $LOCAL_REPO/AnalysisEngine directory (should be the default) and click "Okay." After a scan, you should see something like the following
- Eclipse should now have the project open, similar to this
-
Before going any further, make sure you have run through the General Setup part of this guide. The virtual machine does not need to stay running while developing, but several tools are downloaded during the initial setup
-
If you're running Eclipse inside the Vagrant VM, skip this step. Otherwise, copy the file "site.properties" from "$LOCAL_REPO/puppet/modules/java-pathfinder/sources" to "~/.jpf" as this is required for Java Pathfinder to run correctly. Make sure to update the following in your copy
-
jpf-core = $LOCAL_REPO/AnalysisEngine/tools/jpf/jpf-core, where $LOCAL_REPO is where you cloned the repository
-
jpf-symbc = $LOCAL_REPO/AnalysisEngine/tools/jpf/jpf-symbc, where $LOCAL_REPO is where you cloned the repository
-
In Eclipse, go to the menu bar and select "Run" -> "Run Configurations"
-
You should see the following
-
Double click "Java Application" and the following should appear
-
Give your run configuration a name. The project should be "AndroidAnalysisEngine" and the main class should be "com.rit.AndroidAnalysisEngine.App"
-
Click the Arguments tab just under the name field. For program arguments, enter without quotes "-apk $AN_APK_FILE" where $AN_APK_FILE is either an absolute path or a path relative to $LOCAL_REPO/AnalysisEngine/AndroidAnalysisEngine where there is an apk
-
Click "Apply" and "Close." At this point, you should be able to use the Debug and Play buttons to start the app
-
Once one of those button is clicked, you should see output in the Terminal window at the bottom, starting with "Firing up!" The output of this is shown below.
-
A sample of the final tool output is shown below:
Original idea from Daniel Krutz. Based in part from research by Justin Peterson