In the latest commit, I added a feature to check where an Android permission of an application is used (in the bytecode). This feature is currently (I need to increase the DB) only based on the relation in the android api reference and the annotation of the needed permission.
For example, to use the getDeviceId function, you must have the READ_PHONE_STATE permission. You can get these information by using the analysis module (which is currently not stable but usable ;)). In the tainted_packages field you can used the get_permissions function (a list of permissions is the only parameter, and returns a hashtable of used permission/api) :
[~/androguard]So, we can see that getDeviceId function and getSubscriberId are respectively used in Lcom/android/root/adbRoot/getIMEI and Lcom/android/root/adbRoot/getIMSI .
|2>a = APK("./apks/DroidDream/Magic Hypnotic Spiral.apk")
[~/androguard]
|3>vm = DalvikVMFormat( a.get_dex() )
[~/androguard]
|4>vmx = VM_BCA( vm )
[~/androguard]
|6>show_PathP( vmx.tainted_packages.get_permissions( ["READ_PHONE_STATE"] )[ "READ_PHONE_STATE" ] )
Lcom/android/root/adbRoot; getIMEI (Landroid/content/Context;)Ljava/lang/String; (@getIMEI-BB@0x0-0x10)
---> Landroid/telephony/TelephonyManager; getDeviceId ()Ljava/lang/String;
Lcom/android/root/adbRoot; getIMEI (Landroid/content/Context;)Ljava/lang/String; (@getIMEI-BB@0x22-0x22)
---> Landroid/telephony/TelephonyManager; getDeviceId ()Ljava/lang/String;
Lcom/android/root/adbRoot; getIMSI (Landroid/content/Context;)Ljava/lang/String; (@getIMSI-BB@0x0-0x10)
---> Landroid/telephony/TelephonyManager; getSubscriberId ()Ljava/lang/String;
Lcom/android/root/adbRoot; getIMSI (Landroid/content/Context;)Ljava/lang/String; (@getIMSI-BB@0x22-0x22)
---> Landroid/telephony/TelephonyManager; getSubscriberId ()Ljava/lang/String;
See ya !
No comments:
Post a Comment