Inter Application Analysis

IccTA is dedicated to perform inter-component static taint analysis. Since the mechanism of inter-app communication (IAC) for Android is as same as the mechanism of inter-component communication (ICC). Thus, we perform a tool called ApkCombiner, which combines multiple Android apps to one to enable IccTA to perform inter-app analysis.

In order to perform IAC analysis, the users can following the next steps.

• 1. Running Epicc for each application that you wish to analyse. In this step, Epicc will also automatically build IAC links.
• 2. Running ApkCombiner to combine apps.
• 3. Running IccTA on the combined app of step 2) to detect IAC leaks. It is not recommended to run Epicc on the combined app instead of running each original app. Because currently ApkCombiner is really an naive approach which may cause conflicts.

Now, we show an example to illustrate how IccTA is going to detect IAC leak.

Test case: InterAppCommunication_sendBroadcast1 of DroidBench.

# step 1) Running Epicc on InterAppCommunication_sendbroadcast1_source.apk and InterAppCommunication_sendbroadcast1_sink.apk separately.
./runEpicc.sh $DroidBench/apk/InterAppCommunication_sendBroadcast1/InterAppCommunication_sendbroadcast1_source.apk
./runEpicc.sh $DroidBench/apk/InterAppCommunication_sendBroadcast1/InterAppCommunication_sendbroadcast1_sink.apk

# step 2) Running ApkCombiner
./runApkCombiner.sh $DroidBench/apk/InterAppCommunication_sendBroadcast1/InterAppCommunication_sendbroadcast1_source.apk $DroidBench/apk/InterAppCommunication_sendBroadcast1/InterAppCommunication_sendbroadcast1_sink.apk

# step 3) Running IccTA on the combined app
# The above command will generate a new app called lu.uni.serval.iac_sendbroadcast1_source-ac-lu.uni.serval.iac_sendbroadcast1_sink.apk.
java -jar IccTA.jar -apkPath lu.uni.serval.iac_sendbroadcast1_source-ac-lu.uni.serval.iac_sendbroadcast1_sink.apk -androidJars /Users/li.li/Project/github/android-platforms -iccProvider epicc -intentMatchLevel 3 -enableDB

Finally, IccTA will yield an IAC leak from getDeviceId() in OutFlowActivity to Log.i() in InFlowReceiver. The output detail is listed below:

on Path: 
<lu.uni.serval.iac_sendbroadcast1_source.OutFlowActivity: void onCreate(android.os.Bundle)>
  -> $r3 = virtualinvoke $r5.<android.telephony.TelephonyManager: java.lang.String getDeviceId()>()
<lu.uni.serval.iac_sendbroadcast1_source.OutFlowActivity: void onCreate(android.os.Bundle)>
  -> virtualinvoke $r2.<android.content.Intent: android.content.Intent putExtra(java.lang.String,java.lang.String)>("DroidBench", $r3)
<lu.uni.serval.iac_sendbroadcast1_source.OutFlowActivity: void onCreate(android.os.Bundle)>
  -> staticinvoke <IpcSC: void redirector0(android.content.Intent)>($r2)
<IpcSC: void redirector0(android.content.Intent)>
  -> specialinvoke $r1.<lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void <init>(android.content.Intent)>($r0)
<lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void <init>(android.content.Intent)>
  -> <lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: android.content.Intent intent_for_ipc> = $r1
<lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void dummyMainMethod()>
  -> $r1 = <lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: android.content.Intent intent_for_ipc>
<lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void dummyMainMethod()>
  -> virtualinvoke $r0.<lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void onReceive(android.content.Context,android.content.Intent)>(null, $r1)
<lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void onReceive(android.content.Context,android.content.Intent)>
  -> $r3 = virtualinvoke $r2.<android.content.Intent: java.lang.String getStringExtra(java.lang.String)>("DroidBench")
<lu.uni.serval.iac_sendbroadcast1_sink.InFlowReceiver: void onReceive(android.content.Context,android.content.Intent)>
  -> staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("DroidBench", $r3)