DaVinci: Android app analysis beyond frida via dynamic system call instrumentation

Abstract

Today there are billions of mobile Android devices and the corresponding app stores contain millions of different apps. Due to their access to personal data and their commonly closed source nature, program analysis remains the only instrument to analyze app behavior and protect user data. At the same time, many measures for hardening apps have been developed to make analysis more difficult and to hide the inner workings of applications, making dynamic analysis a time-consuming task. We propose DaVinci, an Android kernel module for system call hooking, which allows a fully transparent and scalable dynamic analysis. DaVinci comes with preconfigured high level profiles to easily analyze the low level system calls. DaVinci works even on hardened apps without manual adjustments where common tools like Frida fail or require exhausting reverse engineering. We evaluate our approach against state-of-the-art hardening measures in a custom app as well as several hardened real-world examples and find that we successfully overcome all protection measures even when other tools fail. Our framework will be open-sourced and made available to the research and security communities.