This tool is a first approximation to detecting app collusion potential. The tool uses androguard to extract facts about app communication and used permissions. Extracted facts and a set of prolog rules can be used later to detect the collusion potential between the apps in the analysed set. The tool is split in two components: the fact generator and the prolog program Both components can be run consecutively or separately.
Requires Python 2.7. This project relies on Androguard to execute most of the analysis tasks. Specifically, we use Androguard 2.0. That version has a minor bug in
function call inside the dvm.py
. This project links directly to a version with that bug so you don't need to change anything
Additionally, the tool uses the comman line SWI-Prolog implementation. In a mac, it can be installed using brew:
brew install swipl
To extract the facts from a set of Android apps that are stored in a folder:
python facts.py [-v] [-r rule_file] [-s] app_folder result_prefix
Where:
-v
: Makes the tool give information about the fact extraction process-r rule_file
: append therule_file
to the list of generated facts for its usage in swi-prolog. In our case, collusion rules are defined incollusion_rules.pl
-s
: Add rules to account external storage as a possible communication channel.app_folder
: Specifies the folder where the apps to be analysed are storedresult_prefix
: Is the prefix that will be added to all output files
This tool generates three output files:
result_prefix_uses.txt
: Prolog facts about permissions used by the appsresult_prefix_trans.txt
: Prolog facts about the communication channels used by the apps to send information to other appsresult_prefix_recv.txt
: Prolog facts about the communication channels used by the apps to receive information from other appsresult_prefix_intent_send_stats
: Stats about the actions detected by intents used to send information to other apps/componentsresult_prefix_intent_recv_stats
: Stats about the actions detected by intent filters used to receive information from other apps/componentsrule_file_program.pl
: A Prolog program that includes the facts generated after app analysis and the collusion rules specificed byrule_file.pl
The Prolog program can be executed using the following command
python prolog.py [-v] [-d] [-f intent_folder] [-l length] [-a package] prolog_file collusion kind
Where:
-v
: Puts the program in verbose mode to provide additional output-d
: Puts the program in debug mode to provide additional output-f intent_folder
: Removes all facts related to the intents actions included in theintent_folder
. Intent actions should can be organized inside different files inside the folder (one intent action per line).-l length
: Searches only for app sets of lengthlength
. Useful to reduce the search complexity.-a package
: Searches only for app sets that start with the app with pacakge namepackage
.prolog_file
: A file including app facts and the collusion rule set. It should be the output prolog file of thefacts.py
executioncollusion_kind
: The kind of collusion that we are looking for. The following values are possible: 'colluding_info', 'colluding_money1','colluding_money2','colluding_service','colluding_camera','colluding_accounts','colluding_sms'. Others can be defined by modifying thecollusion_rules.pl
file
This tool outputs a list of all collusion app sets found in the prolog_file
. It includes the apps in the set, and the channels used to communicate
To execute the fact extraction process and the prolog rules with one command you can:
python collusion_finder.py [-v] [-s] [-f intent_folder] app_folder rule_file
Where:
-v
: Puts the program in verbose mode to provide additional output-s
: Add rules to account external storage as a possible communication channel.-f intent_folder
: Removes all facts related to the intents actions included in theintent_folder
. Intent actions should can be organized inside different files inside the folder (one intent action per line).app_folder
: Specifies the folder where the apps to be analysed are storedrule_file
: The file with the collusion rules. In our case, collusion rules are defined incollusion_rules.pl
This tool outputs the found colluding app sents, including the communication channels used. All the auxiliary files required during execution, except the prolog program, are deleted after execution
To test the fact extraction process you can use py.test
pip install py.test
We have developed a set of colluding applications for Android to test this approach. The developed test can be found in an encrypted file inside the tests/apk folder. To request access to the file key to decrypt the TrueCrypt volume, you can write and email to Jorge dot Blasco dot 1 at city dot ac dot uk.
- At the moment, the following communication channels are detected: External Storage, Implicit Intents and SharedPreferences
- Variable tracking cannot go beyond the method scope. This means that some String values will not be gathered
- The aim of this tool is to perform a quick filter over an app set so more sophisticated analysis can be executed. Therefore, We do not try to track if a sensitive resource has been shared or not through the communication channel
- Increase the tests to cover all the apps in the apk test set
- Add more communication channels
- Improve the string and variable tracking for obtaining intent actions and other required variables
- Properly comment python code