For many types of applications, in order to accurately understand what is going on within them, access to source code is typically required. When it comes to Android Apps, a new effort from startup Bluebox Security is set to make access and visibility into mobile code easier than ever before.
Bluebox is a mobile security startup backed by Andreeson Horowitz and Sun Microsystems co-founder Andy Bechtolsheim. The company’s Chief Scientist is well known application security expert Jeff Forristal, better known in the security community as Rain Forest Puppy. He is credited with the discovery of the SQL injection as an application attack.
Forristal’s company is now offering a free online service called, ‘Dexter’ that enables anyone to upload an Android app and then perform static analysis on it.
“We had a strong desire to implement very robust back-end analysis methods that will not fail in the presence of an app that may be trying to defeat an automated analysis,” Forristal told Datamation.
Dexter is also a multi-user online tool that enables groups of mobile analysts to collaborate for app research.
In terms of technology, Bluebox built much of the code for Dexter on their own, though Forristal noted that there are some open source components.
“We’ve done a lot of work to make sure we have a robust static and dynamic analysis engine,” Forristal said. “Think of it as a superset of what is available in the industry plus additional augmentation that we provide.”
Android applications leverage Java, which is a major help for security research. From a code perspective, the actual Java bytecode of an Android application can be decompiled to perform static analysis.
“One of the key attributes of Java, for better or for worse, is that there is a one-to-one relationship between the original source code and the actual bytecode, “Forristal said. “Java also embeds a lot of debugging and symbol information that really allows for the recovery of the source code or at least something that closely approximates the source code.”
Forristal noted that the Dexter backend also provides an Android .apk file browser that provides multiple views into what the code that makes up the app is all about. Dexter provides: Java class listing, inheritance relationships and package graph visualizations. Going deeper, the system can pull up individual areas of a package and analysts can get down into method bytecode visualizations.
“There is a relational query language and a text search feature that we have to allow you to cross navigate between methods and classes,” Forristal said. “From there, there is the ability for tagging and commenting on any code that you see.”
Dexter has automatic semantic annotation for different program elements, including application entry points. Code that deals with security cryptography, network access and Android privileges is also automatically identified.
“So if you have a particular interest and, for example, want to understand how an app is accessing the network, you can quickly find the areas of the app from there and analyze it,” Forristal said.
While Dexter is a robust tool for Android app analysis, it is not about providing a layperson with a simplified assessment of a given app’s security.
“Dexter is a foundational tool for an analyst skilled in Android applications to determine if there are problems,” Forristal said. “We are positioning Dexter as enhancing and augmenting the analyst effort more efficient, but it is not an anti-virus or security audit tool that specifically concludes that an app is malware.”