search

arguslab / Argus-SAF

Argus static analysis framework
Apache License 2.0
181 stars 49 forks source link

Summary based data flow analysis... #56

Open Sebastiaan-Alvarez-Rodriguez opened 5 years ago

Sebastiaan-Alvarez-Rodriguez commented 5 years ago

Hello!

A little background

I am writing a framework to launch android static security implementations. I want to include Argus-SAF

Issue

I have a (small) test apk, to see if my framework is handling everything correctly. The test apk is malware, confirmed by multiple other implementations in my framework. While testing this app on Argus-SAF, the following appeared on my terminal:

Starting analysis of adsvr.soporteweb.es.apk
Total apks: 1
Analyzing #1:file:/home/s1810979/testset/androzoo/apk/adsvr.soporteweb.es.apk
Dedexing... Total: 15
[==================================================] 100.00% 1s580ms ETA: 0ms  
Collecting information from adsvr.soporteweb.es.apk...
Read AndroidManifest.
Read ARSC.
Read Layout files.
Start reachabilityAnalysis...
Building Signature Based Call Graph... Total: 30
[==================================================] 100.00% 1s346ms Left: 0 
CHA done with method size 41.
ReachabilityAnalysis done.
Analyzing callbacks...
Collecting callback methods in layout mappings...
Collecting callback methods in app source...
Collecting XML based callback methods...
Callback collection done.
Generate environment for 1 components.
Info collection done.
Processing 1/1: Ladsvr/soporteweb/es/MainActivity;.envMain:(Landroid/content/Int
ent;)V
Building Signature Based Call Graph... Total: 1
[==================================================] 100.00% 405ms Left: 0
CHA done with method size 62.
Summary based data flow analysis... Total: 229
[==================================================] 100.00% 2m43s618ms Left: 0

Everything went pretty fast (as you can see from time output), but now: Nothing has happened for at least 20 minutes. Summary based data flow analysis... remains at 100% (of course), and Left remains at 0.

Question

It does seem Argus-SAF is doing nothing at the moment. Is this correct? If so, why is Argus-SAF busy with doing nothing and how to fix it? If not, perhaps it would be wise to print something to let users of your tool know stuff might take a while, or maybe even produce another percentage bar!

Some more info

My framework also has implemented Amandroid, which is predecessor/part of this tool. Amandroid analyzed my apk in 101.57743263244629 seconds. Since Argus-SAF probably uses (maybe modified) Amandroid codebase, how can Argus-SAF take more than 1200 seconds (aka twelve times more time)?

I use this Argus-SAF (the CLI-tool), and I use taint analysis, data leakage options

Edit

Wow, it is still busy. It has been busy for over 3 hours now, with something which should take maybe a few minutes. What's going on?

Sebastiaan-Alvarez-Rodriguez commented 5 years ago

Maybe this is bug #29 being unfixed after 2 years

fgwei commented 5 years ago

Could you provide me that APK to test?

Sebastiaan-Alvarez-Rodriguez commented 5 years ago

I cannot give you the APK, as this one belongs to androzoo malware dataset (which you might have access to too, considering this framework you are/were building). Here are the details:

sha256: 20BD4735D2E3F1FBDFAE196FECB00A80E7258C7A84785ED92FEC2C019B0AF76F
sha1: C0F7A50701E06D94BCF2309221E2AD2A4B938147
md5: F77D96EA77AD481630A3C3C2717BF83D
dex_date: 2018-06-06 23:37:14
apk_size: 182484
pkg_name: "adsvr.soporteweb.es"
vercode: 2
vt_detection: 15
vt_scan_date: 2018-11-19 06:38:00
dex_size: 21704
markets: play.google.com

With this info you can identify uniquely which exact apk I used for this test. Maybe you can fix your bug with it.

Good luck!