Abstract
Program instrumentation is a widely used mechanism in different software engineering areas. It can be used for creating profilers and debuggers, for detecting programming errors at runtime, or for securing programs through inline reference monitoring.
This paper presents a tutorial on instrumenting Android applications using Soot and the AspectBench compiler (abc). We show how two well-known monitoring languages –Tracematches and AspectJ– can be used for instrumenting Android applications. Furthermore, we also describe the more flexible approach of manual imperative instrumentation directly using Soot’s intermediate representation Jimple. In all three cases no source code of the target application is required.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
International Data Corporation: Worldwide quarterly mobile phone tracker 3q12 (November 2012), http://www.idc.com/tracker/showproductinfo.jsp?prod_id=37
Bit9: Pausing google play: More than 100,000 android apps may pose security risks (November 2012), http://www.bit9.com/pausing-google-play/
Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 229–240. ACM (2012)
Kim, J., Yoon, Y., Yi, K., Shin, J., Center, S.: Scandal: Static analyzer for detecting privacy leaks in android applications. In: Proceedings of the Workshop on Mobile Security Technologies (MoST), in Conjunction with the IEEE Symposium on Security and Privacy (2012)
Yang, Z., Yang, M.: Leakminer: Detect information leakage on android with static taint analysis. In: IEEE 2012 Third World Congress on Software Engineering (WCSE), pp. 101–104 (2012)
Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. OSDI 2010, pp. 1–6. USENIX Association, Berkeley (2010)
Xu, R., Saïdi, H., Anderson, R.: Aurasium: practical policy enforcement for android applications. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, pp. 27–27. USENIX Association, Berkeley (2012)
Lam, P., Bodden, E., Lhoták, O., Hendren, L.: The soot framework for java program analysis: a retrospective. In: Cetus Users and Compiler Infastructure Workshop, CETUS 2011 (October 2011)
Allan, C., et al.: Abc: the aspectbench compiler for aspectj. In: Glück, R., Lowry, M. (eds.) GPCE 2005. LNCS, vol. 3676, pp. 10–16. Springer, Heidelberg (2005)
Android: Android security overview (December 2012), http://source.android.com/tech/security/
Goolge Inc.: Google play (December 2012), https://play.google.com/
Bodden, E., Hermann, B., Lerch, J., Mezini, M.: Reducing human factors in software security architectures. In: Future Security Conference (to appear, September 2013)
Oh, H.S., Kim, B.J., Choi, H.K., Moon, S.M.: Evaluation of android dalvik virtual machine. In: Proceedings of the 10th International Workshop on Java Technologies for Real-time and Embedded Systems, JTRES 2012, pp. 115–124 (2012)
Google Inc.: Application fundamentals (December 2012), http://developer.android.com/guide/components/fundamentals.html
Google Inc.: Content provider basics (December 2012), http://developer.android.com/guide/topics/providers/content-provider-basics.html
Google Inc.: Activity (June 2013), http://developer.android.com/reference/android/app/Activity.html
Google Inc.: Logcat (June 2013), http://developer.android.com/tools/help/logcat.html
Google Inc.: Android emulator (June 2013), http://developer.android.com/tools/help/emulator.html
Google Inc.: Android debug bridge (June 2013), http://developer.android.com/tools/help/adb.html
Google Inc.: Signing your applications (June 2013), http://developer.android.com/tools/publishing/app-signing.html
Google Inc.: zipalign (June 2013), http://developer.android.com/tools/help/zipalign.html
Allan, C., Avgustinov, P., Christensen, A.S., Hendren, L., Kuzins, S., Lhoták, O., de Moor, O., Sereni, D., Sittampalam, G., Tibble, J.: Adding trace matching with free variables to aspectj. In: Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications. OOPSLA 2005, pp. 345–364. ACM, New York (2005)
Bodden, E.: Packs and phases in soot (November 2008), http://www.bodden.de/2008/11/26/soot-packs/
Lam, P., Qian, F., Lhoták, O.: Packs and phases in soot (November 2008), http://www.sable.mcgill.ca/soot/tutorial/phase/
Lhoták, O., Hendren, L.: Scaling java points-to analysis using spark. In: Hedin, G. (ed.) CC 2003. LNCS, vol. 2622, pp. 153–169. Springer, Heidelberg (2003)
Patrick Lam, F.Q., Lhoták, O.: Soot command-line options (June 2013), http://www.sable.mcgill.ca/soot/tutorial/usage
Arzt, S., Falzon, K., Follner, A., Rasthofer, S., Bodden, E., Stolz, V.: How useful are existing monitoring languages for securing android apps? In: 6. Arbeitstagung Programmiersprachen (ATPS 2013). Lecture Notes in Informatics, Gesellschaft für Informatik (February 2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Arzt, S., Rasthofer, S., Bodden, E. (2013). Instrumenting Android and Java Applications as Easy as abc. In: Legay, A., Bensalem, S. (eds) Runtime Verification. RV 2013. Lecture Notes in Computer Science, vol 8174. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40787-1_26
Download citation
DOI: https://doi.org/10.1007/978-3-642-40787-1_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40786-4
Online ISBN: 978-3-642-40787-1
eBook Packages: Computer ScienceComputer Science (R0)