5

I want to collect all the API calls made by an Android app that runs on a real device (with root permissions, obvs).

With API call I mean the methods invoked on objects like: ConnectivityManager

I thought that I can instrument all methods with the Xposed framework but maybe exists a simpler way... a kind of "high-level strace".

Otherwise it's sufficient to monitor the stacktrace...

What do you suggest?

Simone Aonzo
  • 165
  • 1
  • 6
  • 1
    You mean something similar to what running a process through `strace` gives you on an ordinary Linux system with a reasonably complete terminal userspace? – user Feb 10 '17 at 22:42
  • It would be perfect... but I don't know how you can do it with the Android vm – Simone Aonzo Feb 11 '17 at 18:16
  • I would expect not (and I'm not really familiar with this kind of development to start with), but it might give people a frame of reference for what you are looking for. – user Feb 11 '17 at 19:42
  • If you are into programming, I suggest JPDA, and there MethodEntryRequest to write a small debugger. – WSS Jan 30 '18 at 17:38

2 Answers2

4

You can see Binder methods and other strace functionality with -- http://newandroidbook.com/tools/jtrace.html

However, I think you are looking to intercept API calls with the -- https://github.com/AndroidHooker/hooker -- techniques. There are other hooking techniques such as with IntroSpy -- https://www.sensepost.com/blog/2016/android-hooking-with-introspy -- but they don't look as applicable to your situation.

You could run into situations where anti-hooking techniques are present -- http://d3adend.org/blog/?p=589, so I suggest having a way to replace that code and repackage the APK -- https://github.com/oguzhantopgul/AppManipulator

The book, Hacking Android, covers using both IntroSpy and the XposedFramework for hooking. I think you'll like the output log from the XposedBridgeAPI -- http://blog.attify.com/2015/01/04/xposed-framework-android-hooking/ -- and you can find its development documentation here -- https://github.com/rovo89/XposedBridge/wiki/Development-tutorial

Moreover, the book covers what is more-common practice for Android app reversers and penetration testers, which is use of the Frida tools. In particular, I think the appmon -- http://dpnishant.github.io/appmon/ -- extension is the most-relevant (supporting both root and non-root privileged access), but you also might take a look at the extended version of cycript from NowSecure -- https://www.nowsecure.com/blog/2016/09/02/cycript-on-steroids-pumping-up-portability-and-performance-with-frida/

atdre
  • 18,885
  • 6
  • 58
  • 107
  • hooker, introspy, frida, etc. aren't working. I had lots of expectations on Frida but is too buggy and too undocumented. So I think that I'll continue with Xposed. Thanks for the answer... – Simone Aonzo Feb 12 '17 at 10:02
  • @Simone Aonzo: Try this tutorial -- http://www.welivesecurity.com/2016/11/07/apk-analysis-using-appmon/ -- she made it look really easy to install – atdre Feb 12 '17 at 17:52
  • I tried it, but the monitored app crash because of Frida... I used Frida with several devices and Android versions imho is an unusable software – Simone Aonzo Feb 18 '17 at 13:40
  • https://github.com/bmax121/BudHook – atdre Apr 30 '18 at 18:17
-1

The best way to achieve global Java call collection is to instrument the ART/DVM of the Androis OS. Here you can find a minimal patching procedure to apply to the AOSP (5.0 Lollipop, working on 6.0 Marshmallow as well) to collect all Java calls of a targeted application : https://stackoverflow.com/questions/33478647/android-app-java-jni-call-hooking-strategies

You could then differentiate API calls from application calls with some regex.

Dr. Jekyll
  • 1
  • 2