ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Android Apps and the Middleware

The Android Runtime (ART), even though introduced in Android 5 already, has not received much attention in the security community. However, its on-device compiler dex2oat, which mostly deprecated the Dalvik VM, leaves a gap by rendering well-known tools such as TaintDroid and its descendents inapplicable. But it also provides new opportunities for security researchers.

On top of dex2oat, we created ARTist, the Android instrumentation and security toolkit, which is a novel instrumentation framework that allows for arbitrarily code modification of installed apps, the system server and the Java framework code. Similar to existing approaches, such as Frida and XPosed, ARTist can be used for app analysis and reversing (record traffic, modify files and databases), as well as modding and customization. However, it occupies a sweet spot in the design spaces of instrumentation tools since it does not break the app signature and hence modified applications still receive updates without compromising on security, it can be deployed on rooted stock devices beginning from Android 6 and it allows for instrumentation on the instruction level.

We provide developers with a module SDK to get started with writing own instrumentation routines right away. Since no complicated system of hooks or another runtime are required, it is highly efficient and neatly integrates with the compiler's optimization framework. We created a range of interesting modules that showcase different use cases, from the large-scale instrumentation of each single method in the system server (25k methods) to simple, on-point injections in third party apps and even full compartmentalization of advertisement libraries. Our tool is open sourced at https://github.com/Project-ARTist and https://artist.cispa.saarland. ARTist is still in its early stages, so we hope to collect a lot of feedback and create an active community.

Presented by