The Sandbox Analysis Model Of Android Mobile System Based On Dynamic Bytecode Instrumentation

Android is the clear leader in operating systems for smartphones and tablets. However, Android is also the most targeted platform for attackers at the same time. Although Android applies security policies like restricting API use with permission, it’s still not fine-grained enough for user’s information security. The users are not aware of how these permissions granted to apps are actually used, what resources they access, when these resources are used and where these resources flow to.Many researches have been done on either static analysis or dynamic analysis. Most of the static analyses take the application source code or binaries as input, and try to detect malicious behaviors by symbolic analysis or diagnosing the data-flow and control-flow out of the program. However, static analyses face difficult issues like code obfuscation as well as polymorphism. In addition, Android app’s multiple entries also pose challenge for static analyses. These problems can be solved by dynamic analysis. Using sandbox is a good choice for dynamic analysis. Apps can be isolated from sensitive information and functions using sandbox. Their behaviors and access to user’s data are restricted and controlled by Sandbox. So it is of great research value to implement a sound, flexible and extensible sandbox model.In this paper, we propose a sandbox programming model for development of dynamic analysis based on Java bytecode instrumentation. We extend DiSL, a mature Java Virtual Machine bytecode instrumentation framework, with a new Monitor annotation and propose the concept of “API wrapper class”, to support convenient development of sandbox API monitoring. Meanwhile, we bridge the gap between Java bytecode and Android Dalvik bytecode using tools like dex2 jar and achieve full coverage on Android. Under this model, the user enjoys the flexibility and extensibility while requiring no low-level bytecode basics.We evaluate our model in two parts. First, we validate the model with robustness and efficiency tests. Then we provide a basic sandbox analysis, which we can restrict contacts access by group, block sending SMS to addresses in blacklist and trace I/O usage. This case shows the ability of the model and can be used as the guide for developing future analysis.