Complete source code is available in this repository on Github: statedroid
Architecture of StateDroid Implementation
(1) Composition of Android app (APK)
An APK consists of multiple packages, where each package consists of multiple classes. Similarly, a class consists of multiple (callback and developer-defined) methods where each method can be represented by a control-flow graph (CFG). Each CFG consists of multiple basic blocks where each basic block consists of multiple instructions. Following figure denotes this structure where each of these components inherits from CFGComponent
(2) APK Decompilation
Three GRASP design patterns are used here. Controller, Expert, and Creator pattern. Controller takes input APK from the user and passes it to APKBuilder (expert here).
For five collections: APK, Package, ClassObj, CFG, BasicBlock.. we have five corresponding iterators, as shown below. Each iterator iterates over its children (items) and hides the underlying implemented data structure that stores those items.
(4) Instruction Handlers (Parsers)
Based on instruction type, we have specific handlers that handle or parse specific instructions and return the parsed results.
For example, for instruction 'invoke-virtual v0, Ljava/lang/Thread;->start()V', instruction type is 'invoke-virtual'.
We specify all handlers in a 'InstructionHandler.properties' file and use Java reflection to invoke specific handler for a specific instruction. For this example, entry in the properties file is 'invoke-virtual = InvokeHandler'.
(5) Analysis Flow For A Specific Instruction
Following figure shows how a specific instruction such as 'invoke-virtual v0, Ljava/lang/Thread;->start()V' is handled.
(a) Instruction is parsed through InvokeHandler class, as explained above.
(b) Using Java reflection and 'InstructionAnalyzer' properties file, TaintAnalyzer sends instruction to 'InvokeVirtualTaintAnalyzer' for its analysis
(c) InvokeVirtualTaintAnalyzer determines that this type of instruction has a dedicated handler, it delegates analysis to StartAnalyzer.
(d) StartAnalyzer (expert) invokes Thread.run() method in place of Thread.start() and gives control to MethodHandler.
(e) MethodHandler is a generic method handler that can handle all types of methods, as long as it receives a method name or related info. MethodHandler then handles the analysis
(6) Instruction-Syntax-Specific Taint Analyzers
Similar to instruction-syntax-specific handlers in (4), we have instruction-syntax-specific taint analyzers, as also explained in (5.b). All other relations in below figure are intentionally left for clarity.
(7) Delegation to API-Specific Taint Analyzers
As mentioned in (5.c), based on invoked method or API calls, invoke-type taint analyzers can delegate analysis to API-specific analyzers.
(8) Attack Reporter
After performing analysis, if an invoked API can potentially leak sensitive information or send SMS to hard-coded numbers, attack is reported, if it has not been reported earlier.