The primary objective of this project is to enhance the Android platform, by implementing a new tool to monitor and log whenever applications use privacy-sensitive API. The Privacy Inspection tool enables the users to test, monitor, and analyze the behavior of any application on Android and recognize possible privacy loopholes. Privacy Inspector uses Aspect Oriented Programming to weave custom aspects into the Android platform. In this way our injected aspects blend with the platform and work together to alert users about privacy leaks.
To use this tool, you'll need to instrument the AOSP build using Instrumentation_tool
Please refer to the project wiki, or click the links below for detailed description on getting started:
- Getting started with Android 2.3.7 Gingerbread Build
- Procedure for instrumenting the source code and building custom Android emulator
The source code can be found in instrumentation_tool/src
First, let's glance over at the project structure
Let's go over each package and look over the class diagram
The project makes use of software design patterns like the Observer pattern, Visitor Pattern and the Singleton pattern. Whenever the analysis is run, the stream of bytes are pipelined through the Sliding Buffers looking for the mock-up data instrumented beforehand. The observers are notified, whenever the stream of byte changes, and the DataInspector class runs the analysis - first by detecting the Encoding of the stream, then returning the stream in proper format, if the mockup data is detected, it is logged in the adb logs while the app is run for testing.
For testing purposes, an APK file has been provided under the APKs/ folder for you to understand the working of the tool. The Secret-Spiller app deliberately requests the permission for IMEI, Geolocation, Contacts and then uploads it to an echo server.