Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Mirror of PScout (
Perl Java Shell
Branch: master
Failed to load latest commit information.


tar -xvzf PScout.tar.gz in source bin/setup_env

Install XML::Simple (if not installed already) sudo perl -MCPAN -e shell install XML::Simple

PScout directory contents: /bin - various scripts used in the analysis /soot - soot analysis programs of java class files


  • _allmappings: API calls (both documented and undocumented) to permission mapping
  • _publishedapimapping: documented API calls to permission mapping
  • _intentpermissions: intents with permission
  • _contentproviderpermission: content provider (URI string "content://") with permission
  • _contentproviderfieldpermission: content provider (URI field) with permission

How to Run PScout:

mkdir # create new directory under cd ../bin/ # is the root directory of the Android source code (should be already complied with lunch full-eng) # performs steps 1-3 described in the following "Detailed Analysis Steps Section" testsetup # step 4 (a few seconds) ../bin/ # step 5 (~half a day) ../bin/ # steps 6-11 (a few minutes) ../bin/ # step 12 (~half a day) ../bin/ # step 12-16 (a few minutes)

Detailed Analysis Step Descriptions

1: Get the relevant class files from the android build root directory

Put all classes in a new directory under ../bin/ ../bin/ rm -f *.jar

Create a list of class name ../bin/ under

2: Parse all AndroidManifest.xml files (in ANDROID_DIR) for permission information

Under run the following: find -name AndroidManifest.xml > manifestlist /bin/ > manifestpermission

grep ^contents:// manifestpermission | grep -v grantUriPermissions | sort -u > contentproviderpermission sed -i 's/^contents/content/' contentproviderpermission mv contentproviderpermission

grep ^PROVIDER: manifestpermission | sort -u > providerauth mv providerauth

grep ^Intent: manifestpermission | sort -u > intentpermission sed -i 's/^Intent://' intentpermission mv intentpermission

Note: At this point, unless otherwise specified, all commands in future steps should be executed under

3: Generate list of permissions to be analyzed by PScout

Create list of permissions available to 3rd party applications ../bin/ /frameworks/base/core/res/AndroidManifest.xml > permissions

Output files:

  • permissions

4: Testing setup

runsoot dump.DumpClass under

If you see Exception in thread "main" java.lang.RuntimeException: couldn't find class:$1 (is your soot-class-path set properly?) do the following: ../bin/\$1

If setting is correct, there should be no errors.

5: SOOT dump class information (this step should take ~day to finish)


Output files:i

  • classhierarchy
  • rawcallgraph
  • permissionstringusage
  • message
  • handlemessageswitch
  • rpcmethod
  • clearrestoreuid
  • urifield


  • modify the classlist file to change the list of class files to be processed (useful if computer died(?) in the middle of an analysis)
  • the file 'processed' stores the list of classes examined so far
  • run 'wc processed' to get an idea on the progress (# of lines = # classes processed)

6: Build basic call graph

../bin/ | sort -u > callgraph

Output files:

  • callgraph

7: Create message sending edges ../bin/ > sendmessagecallgraphedges

Output files

  • sendmessagecallgraphedges

8: AIDL RPC ../bin/ > aidlcallgraphedges ../bin/ > callgraphnorpc

9: String permission checks ../bin/ > pchk ../bin/

Output files:

  • stringpermissioncheck
  • sendreceivepermissioncheck

10: Uri permission checks ../bin/ > contentprovidercheck


  • contentprovidercheck
  • contentproviderfieldpermission

11: SOOT Intents with "dynamic" send/receive permission ../bin/ ../bin/ > intentwithdynamicpermission cat intentpermission intentwithdynamicpermission > intentpermissions


  • intentwithdynamicpermission
  • intentpermissions

12: SOOT Intent permission check (~day) ../bin/ ../bin/ > intentpermissioncheck


  • intentpermissioncheck

13: API mapping

cp /frameworks/base/api/current.xml Note: when analyzing android 4.0, copy current.txt instead

../bin/ > broadcaststickycheck ../bin/ > API

Output files:

  • permissionreachedprovider

14: New content permission requirement found from first pass

../bin/ > reachedcontentproviderpermission ../bin/ > contentproviderdynamiccheck

15: Second (final) API mapping

../bin/ > API grep -e ^Permission -e Callers: -e ^< API > allmappings

Output files:

  • allmappings
  • publishedapimapping

16: Generate some basic stats

../bin/ > stats

Output files:

  • stats
Something went wrong with that request. Please try again.