MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE...
Transcript of MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE...
![Page 1: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/1.jpg)
XUETAO WEI LORENZO GOMEZ PROFESSOR IULIAN NEAMTIU PROFESSOR MICHALIS FALOUTSOS
UNIVERSITY OF CALIFORNIA, RIVERSIDE
PROFILEDROID: MULTI-LAYER PROFILING
OF ANDROID APPLICATIONS
![Page 2: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/2.jpg)
WE DEPEND ON SMARTPHONES MORE AND MORE
US Army CSDA initiative (Connecting Soldiers to Digital Applications) to replace handheld radio + BLUE FORCE tracker + portable GPS + video feed ROVER
source:defenseindustrydaily.com
“FDA approves Mobisante’s smartphone ultrasound app” [Feb 2011] source:mobilehealthnews.com
![Page 3: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/3.jpg)
ANDROID IS A POPULAR SMARTPHONE PLATFORM
Operating system share of smartphone sales (US)
850,000 Android phones activated every day [Google letter to investors, April 2012]
![Page 4: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/4.jpg)
BUT WE DON’T UNDERSTAND APP BEHAVIOR
source:washingtonpost.com
![Page 5: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/5.jpg)
Will this app leak my photos?
Will this app drain my battery?
Will this app tell my friends that I’m a
moron?
THE ANDROID APP MARKET IS A JUNGLE
Which radio is best for me?
![Page 6: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/6.jpg)
FIRST STEP TO MAINTAINING THE JUNGLE
Provide a low-cost method to profile the behavior of an app Given a few short executions:
• What did the app do? • How does the app use resources? • What entities does it communicate with?
• What was the app supposed to do? • Where there conflicts? Why?
![Page 7: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/7.jpg)
BENEFICIAL TO Application developers
• Assess performance and security implications • Make better use of resources
End users
• Enhance user control and improve experience • Push developers to make better use of resources
![Page 8: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/8.jpg)
ANDROID APPS Written in Java, compiled into Dalvik VM bytecode Packaged as name.apk
• Signed with developer’s private key • Essentially a .zip file containing:
• .dex bytecode file (similar to .class) • “Manifest” file (XML): permissions
Permission model • Permissions last FOREVER! • Shown before install • All or nothing
Permissions alone aren’t enough to describe app behavior
![Page 9: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/9.jpg)
DYNAMIC ANALYSIS WITH PROFILEDROID
Android Device
Mon
itorin
g
Android Debugging Bridge
Prof
iling
Desktop/laptop
• Goal Multi-level profiling based on static and
dynamic application analysis
![Page 10: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/10.jpg)
MONITORING AND ANALYSIS WITH PROFILEDROID
![Page 11: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/11.jpg)
PROFILING FRAMEWORK: MONITORING
Capture 3 user traces, 5 minutes per app
Trace File
Trace File
Trace File
![Page 12: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/12.jpg)
Playback original trace and collect logs
Logs
Trace File Playback
PROFILING FRAMEWORK: MONITORING
![Page 13: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/13.jpg)
A QUICK REPLAY DEMO
![Page 14: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/14.jpg)
PROFILING FRAMEWORK: MONITORING
Repeat playback 10 times per user
Logs Trace File
Logs
Total of 30 runs of each app to build profile (5 in morning and 5 at night, per app)
![Page 15: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/15.jpg)
PROFILING FRAMEWORK: MULTI-LAYER ANALYSIS
Android software stack
Linux Kernel
Libraries, Android Runtime
Application Framework
Application Static
User
OS
Network
Logs
What metrics can be used to capture app behavior?
![Page 16: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/16.jpg)
SELECTED APPS Category App Social Facebook Games Angry Birds, Angry Birds$$ Music & Audio Pandora, Shazam, Shazam$$ Media & Video Youtube Shopping Amazon Travel Gasbuddy Health & Fitness Instant Heart Rate, Instant Heart
Rate$$ Communication Dolphin browser Sports ESPN Reference Dictionary.com, Dictionary.com$$
total 27 apps: 19 free , 8 paid
Wide range of apps, spanning many categories Popular apps with >1,000,000 installs
![Page 17: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/17.jpg)
STATIC LAYER Source: manifest & bytecode decompilation
• Permissions (shown at install) • Internet • Location (GPS or network) • Phone • …
• Intents (not shown at install) • Resource use
without permission via deputy apps Linux Kernel
Libraries, Android Runtime
Application Framework
Application Static
User
OS
Network
![Page 18: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/18.jpg)
STATIC LAYER ANALYSIS RESULTS
App Internet GPS Camera Mic Bluetooth Telephony Facebook p p i* p Dictionary.com p i i Instant Heart Rate p p i i Shazam p p p Total (out of 27) 27 9 6 4 3 5
p = use via permissions i = use via intents (deputy apps)
*for version originally tested March 2012
![Page 19: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/19.jpg)
USER LAYER Source: logcat, /dev/input/event
• Input devices and events • Touchscreen • Physical Buttons • Accelerometer • Compass • Light proximity sensor
… Linux Kernel
Libraries, Android Runtime
Application Framework
Application Static
User
OS
Network
![Page 20: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/20.jpg)
USER LAYER ANALYSIS RESULTS
![Page 21: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/21.jpg)
OPERATING SYSTEM LAYER Source: strace
• System call categories • Network sockets • File system • VM & IPC
• Enforces isolation • Overhead: scheduling,
idling, IPC
Linux Kernel
Libraries, Android Runtime
Application Framework
Application Static
User
OS
Network
![Page 22: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/22.jpg)
OPERATING SYSTEM LAYER RESULTS
App Intensity (syscalls/sec)
Filesystem (%)
Network (%)
VM & IPC (%)
Misc (%)
Tiny Flashlight 436 1 1 77 21 Facebook 1,031 4 3 72 21 Amazon 693 1 6 77 16 InstHeartRate 944 8 2 75 15
![Page 23: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/23.jpg)
NETWORK LAYER Source: tcpdump (packets and content) App traffic
• Origin (app's website) • CDN and Cloud • Google • 3rd party: ads & tracking
Linux Kernel
Libraries, Android Runtime
Application Framework
Application Static
User
OS
Network
![Page 24: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/24.jpg)
NETWORK LAYER RESULTS
App Intensity
(bytes/ sec)
In/out ratio
Origin
(%)
CDN+ Cloud
(%)
(%)
3rd party (%)
HTTP/ HTTPS
split (%)
Tiny Flashlight 134 2.49 - - 99 - 100/- AdvTaskKiller 26 0.94 - - 100 - 92/8 AdvTaskKiller$$ - - - - - - - Facebook 4,606 1.45 68 32 - - 23/77 Amazon 7,758 8.17 95 5 - - 99/1 InstHeartRate 575 2.39 - 4 86 10 86/14 InstHeartRate$$ 6 0.31 - 9 90 1 20/80
![Page 25: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/25.jpg)
APPLICATION THUMBNAILS
High usage Medium usage Low usage
![Page 26: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/26.jpg)
READING BETWEEN THE LINES Free apps are not as free as we might think
• 50—100% higher system call intensity • Dramatically higher network traffic (usually ads&tracking)
Bad for your dataplan, your battery life, and your privacy
VM-based isolation comes at a cost • 64—87% of system calls are due to VM and IPC
![Page 27: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/27.jpg)
READING BETWEEN THE LINES Apps talk to many servers spread across many top-level domains
• AngryBirds$$: 4 domains, AngryBirds free: 8 domains • Weatherbug: 13 domains, Shazam: 13 domains
Most network traffic is not encrypted Google traffic is predominant
• Except for Amazon and Facebook which have 0 (zero) Google traffic
![Page 28: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/28.jpg)
FUTURE WORK • Expand study to include more apps • User profiles
• Study the variance across users • Fully automate process • Profiler as an app to run on the device
• Provide summary of usage on close
![Page 29: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS · MULTI-LAYER PROFILING OF ANDROID APPLICATIONS . WE DEPEND ON SMARTPHONES MORE AND MORE ... Android Debugging Bridge Profiling. Desktop/laptop](https://reader036.fdocuments.net/reader036/viewer/2022070715/5ed8d4b36714ca7f4768a5c4/html5/thumbnails/29.jpg)
QUESTIONS?