-
Notifications
You must be signed in to change notification settings - Fork 70
Home
Jandroid started out as "Joern for Android": a tool for creating queryable code property graphs. But where Joern targets C/C++ applications, Jandroid targets Android apps. The goal was a tool to automatically identify logic bugs. This was primarily for pwn2own-style challenges where the ultimate aim is to gain code execution with little or no user interaction.
At present, Jandroid identifies possible logic bugs, as opposed to confirmed bugs. The identified bugs will need to be manually verified, but even this is preferable to manually grepping through smali code for hundreds of apps.
Notes
- A logic bug is a bug in code that causes unexpected behaviour rather than code crashes.
- In the general way, pwn2own allows for starting an exploit by clicking one link within the mobile device's browser.
- See "Chainspotting" and "The Mate Escape" on the F-Secure Labs site for details on logic bug chains that won Mobile Pwn2Own two years in a row.
"Joern for Android" already exists in different forms: the tools FlowDroid and Amandroid allow for data flow analysis, while the python-based Androguard enables call graph generation for APKs. However, the output of these tools will be complex and likely difficult to wade through. For this reason, Jandroid uses Androguard to decompile APKs and create analysis objects, and then uses the Androguard APIs to filter this data down to what is really needed.
When developing Jandroid, there was a choice between hard-coding all known logic bugs or using a more extensible approach. The second option was favoured, and the concept of templates was introduced. A template is essentially a JSON file that specifies a pattern to look for with an APK. In general, a template corresponds to one (or part of one) logic bug. By testing a number of apps against multiple bug templates and linking the bugs together, we might be able to identify an exploit chain.
Use the following links to get more info:
- Installation and Execution
- [Configuration](2. Configuration) - Options for configuring a run of Jandroid (parallelisation, etc).
- [Templates](3. Templates) - How to define templates.
- [Vis.js Graph](4. Navigating the Vis.js Graph for Android) - Using the vis.js graph for Android