ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Android Apps and the Middleware

Presented at Black Hat USA 2018, Aug. 9, 2018, 9 a.m. (25 minutes).

The Android Runtime (ART), even though introduced in Android 5 already, has not received much attention in the security community. However, its on-device compiler dex2oat, which mostly deprecated the Dalvik VM, leaves a gap by rendering well-known tools such as TaintDroid and its descendents inapplicable. But it also provides new opportunities for security researchers.

On top of dex2oat, we created ARTist, the Android instrumentation and security toolkit, which is a novel instrumentation framework that allows for arbitrarily code modification of installed apps, the system server and the Java framework code. Similar to existing approaches, such as Frida and XPosed, ARTist can be used for app analysis and reversing (record traffic, modify files and databases), as well as modding and customization. However, it occupies a sweet spot in the design spaces of instrumentation tools since it does not break the app signature and hence modified applications still receive updates without compromising on security, it can be deployed on rooted stock devices beginning from Android 6 and it allows for instrumentation on the instruction level.

We provide developers with a module SDK to get started with writing own instrumentation routines right away. Since no complicated system of hooks or another runtime are required, it is highly efficient and neatly integrates with the compiler's optimization framework. We created a range of interesting modules that showcase different use cases, from the large-scale instrumentation of each single method in the system server (25k methods) to simple, on-point injections in third party apps and even full compartmentalization of advertisement libraries. Our tool is open sourced at https://github.com/Project-ARTist and https://artist.cispa.saarland. ARTist is still in its early stages, so we hope to collect a lot of feedback and create an active community.


Presenters:

  • Oliver Schranz - PhD Student, CISPA Helmholtz-Zentrum I.G.
    Oliver Schranz is PhD student at the CISPA Helmholtz-Zentrum i.G. at Saarland University and a software engineer and pentester at Backes SRT GmbH (both in Germany). He is passionate about security since his bachelors and now he is happily working on two security-focused jobs, simultaneously collecting experience in academia and industry. His research focuses on providing security and privacy-enhancing solutions for Android that do not rely on custom ROMs or system modifications but can be shipped as regular applications to make sure they actually reach the end user. This research has been presented at major academic security conferences (CCS, USENIX Secrity, EuroS&P). He is also a proud founding member of the saarsec CTF team of his home university, where they regularly rank high in some of the bigger CTFs (ruCTFe, ruCTF on-site, iCTF).

Links:

Similar Presentations: