Security Certiﬁer for anDroid
(c) Copyright 2009-2012
The preferred license for SCanDroid is the BSD License and the majority of the SCanDroid software is licensed with it. However there are a few case-by-case exceptions that are under the Eclipse Public License.
Fetch SCanDroid from github
git clone https://github.com/SCanDroid/SCanDroid.git
Download our fork of WALA from GitHub (https://github.com/SCanDroid/WALA) (WALA is an IBM project, hosted here: WALA it is distributed under the terms of the Eclipse Public License, and all WALA artifacts that may be included with SCanDroid retain that license.) and create jars
Import WALA into Eclipse
- File => Import => Existing Projects into Workspace
- Ensure that "copy projects into workspace" is not checked
- Browser to the SCanDroid/wala/wala-src directory, click ok
- Various WALA projects should appear in the "Projects:" list
- Uncheck the following WALA related projects: polyglot and js
- Click Finish
Export the following WALA .jar files into SCanDroid/wala, if they do not already exist.
Modify your WALA properties file according to WALA:Getting Started. Specifically, you may need to change the java_runtime_dir property to your JRE path. You may need to modify one of the following files depending on your OS.
We use Apache Ivy to manage most of the other depenedencies, with one exception. dexlib-1.3.4-dev is a BSD3-licensed library available from http://code.google.com/p/smali/. The jar is located in SCanDroid/lib.
Finally, SCanDroid uses the Android library during the analysis. The Android jar included in the Android SDK includes methods that are stubbed out. This makes it lightweight and ideal for download and development, however in order to do a sound analysis SCanDroid requires either a well modeled Android library or the full implementation. You may model your own, compile the full implemntation, or download a precompiled version online. GrepCode has some precompiled Android libraries that may be used.
####Compiling and Running Compiling SCanDroid
ant clean; ant build; ant jar
java -jar sap.jar --help #for a list of options java -Xmx6g -jar sap.jar --android-lib=path/android-2.3.7_r1.jar application.apk #Example: Sets the Java VM maximum memory allocation pool to 6g, includes #version 2.3.7_r1 of the android library in the scope of the analysis, and #starts analyzing application.apk
- WALA provides static analysis capabilities for Java bytecode and related languages. The system is licensed under the Eclipse Public License.
- JUnit is a unit testing framework. You need JUnit only if you want to run the unit tests. JUnit is licensed under the terms of the IBM Common Public License.
- JGraphT is a free Java class library that provides mathematical graph-theory objects and algorithms. It runs on Java 2 Platform (requires JDK 1.6 or later). JGraphT is licensed under the terms of the GNU Lesser General Public License (LGPL).
- Apache Commons CLI provides an API for parsing command line options passed to programs. The Commons CLI library is licensed under the Apache Software License.
- dexlib is a library to read in and write out dex files. dexlib is licensed under the BSD License.
- Guava contains several of Google's core libraries. A dependency used by dexlib and is under the Apache License.