IntelliDroid is an analysis tool for Android applications that extracts call paths leading to specific behavior and executes these paths precisely during run time. When given a set of targeted behaviors, the static analysis component traverses the application's call graph to find paths to these behaviors. It also extracts path constraints, which are used to determine the input values that can trigger these paths. The dynamic component takes the extracted paths/constraints and injects the input values into the Android device, triggering the targeted behaviors.
The 'FrameworkAnalysis' performs static analysis to generate constraints for the Android framework. We currently provide the output framework constraints so that they can be added to the application constraints produced by the 'AppAnalysis' component.
The 'AppAnalysis' directory holds the code that generate constraints for Android applications.
|preprocess||Scripts to extract and preprocess APK file before passing it to the tool.|
|src||Source code files.|
|libs||Dependencies, including the necessary WALA libraries.1|
|android||Compiled Android framework files (to be analyzed), from AOSP version 4.4.2_r2.|
1 We have made slight changes to WALA's call graph generation to improve IntelliDroid's performance. The modified source code can be found here.
Building and running
This project uses the Gradle build system. Output files are located in the
build/ directory. The gradlew script is a wrapper for machines that do not have Gradle already installed. If your development machine already contains Gradle, you can use your own installation by replacing
gradle in the commands below. A network connection is required when compiling the code for the first time so that Gradle can automatically download dependencies.
The included Android framework files in the
android directory were compiled using JDK 1.6 but the
apktool used in the preprocessing scripts require JDK 1.7. We recommend using JDK 1.7, as that seems to work best. If necessary, you can replace the files in the
android directory to try different versions of AOSP or JDK.
Preprocessing APK files:
The target APK file to be analyzed should first be preprocessed using the scripts in the
preprocess folder. The resulting directory (containing the APK file and the extracted resources) can then be passed to the static analysis.
The preprocessing scripts uses Apktool and Dare to extract the APK package. You can use your own extraction tools, but you may have to modify the app analysis code so that IntelliDroid can find the bytecode and manifest files for a given application.
./preprocess/PreprocessAPK.sh <APK file> ./preprocess/PreprocessDataset.sh <directory of APK files>
To build and run:
./IntelliDroidAppAnalysis -o <output directory> <preprocessed app directory>
To see other command-line options, run:
The output directory is used to store the app info JSON file and the Z3 constraint files. If not specified, these files will be stored in
./pathOutput. The output files are used by the
IntelliDroidDynamicClient tool to identify the call paths and to generate the input data to trigger these paths.
constraintX_X.py files produced in the output directory are necessary for the dynamic client, but are not very readable. The
-y flag can be used to obtain a more readable (but output-heavy) version of the path/constraint results (printed in stdout).
The 'DynamicClient' directory contains the python program that communicates with the Android device and sends the inputs that trigger the desired events.
Setting up the environment
The program expects that an Android device or emulator is connected to the system. This device must be running the custom Android OS containing IntelliDroidService (which interprets the commands this program sends and does the actual event invocation). The DynamicClient program will automatically connect to the device via a socket on port tcp:12348. The
adb tool will be used to set up the connection and run certain commands, and it should be reachable from
PATH (this can be done by adding the Android SDK tools directory to the
PATH variable or by setting up the AOSP build environment prior to running the DynamicClient.
In addition, the DynamicClient uses the Z3 constraint solver via its Python API (z3-py). The instructions to build and install Z3 with Python bindings are available here.
The custom Android OS used by IntelliDroid is provided as a series of diff files that can be applied to the base AOSP source tree. IntelliDroid is currently implemented for Android 4.3 (AOSP branch
android-4.3_r1). Please refer to the AOSP documentation for instructions on how to download and build Android.
Once you have downloaded and compiled the correct AOSP version, you can apply the IntelliDroid patches, which are located in the
androidPatches directory. The
unpatch.sh files are provided to help automate this process. After patching, rebuild AOSP (we've found that you might have to run
make twice; otherwise, certain files on the emulator become inconsistent). You may also need to run
make update-api along with
make. Once built, you can use
logcat to verify that the
IntelliDroidService class is started as a system service when the device boots.
To apply patches:
cd androidPatches ./patch.sh <path to AOSP directory>
HELP (get description of commands)
INSTALL <APK file>
START <directory to app information, generated by IntelliDroidAppAnalysis>
TRIGGER <call path ID to trigger, as specified in appInfo.json>
EXECUTE <command to send to IntelliDroidService>1
INFO <info requested from IntelliDroidService>1
1 These commands are for debugging purposes only. You should only use these if you know the exact parameters that IntelliDroidService expects.
Integration with TaintDroid is fairly straightforward. For the 'AppAnalysis' component, use the
-t flag to specify a different list of targeted methods (i.e. the provided
./IntelliDroidAppAnalysis -t taintdroidTargets.txt <preprocessed app directory>
On the dynamic side, follow the instructions here to download and build TaintDroid for Android 4.3. Once you have verified that your build of TaintDroid works, apply the patches in
DynamicClient/androidPatches in the same way as you would for unmodified AOSP.
IntelliDroid was initially developed as a Master's thesis project by Michelle Wong at the University of Toronto, supervised by Dr. David Lie.
For any inquiries, please contact:
- Michelle Wong (firstname.lastname@example.org)
The following have contributed code to IntelliDroid:
- Michelle Wong
- Dr. David Lie
- Mariana D'Angelo
- Peter Sun
IntelliDroid is released under the MIT License.