Take a Picture of Your App Code – Android MRI Interpreter


August 25, 2023




Track 2

Magnetic Resonance Imaging (MRI), a medical device, allows tomographic imaging of human organs and measurement of blood flow. Using these features, modern doctors can easily detect diseases without having to perform open surgery as in the past.

If it were possible to perform tomography on the app’s code through a simple procedure, such as taking a picture like an MRI without invasion the app’s process, and trace the flow of data used within the code, it would be an effective way to find vulnerabilities. This paper proposes a new OS (interpreter, runtime, kernel) that performs MRI functions based on Android 12.

In this new Interpreter, the Android app takes a picture of the dalvik instruction and register value at runtime when the target (data or function) is used, generating a Control Flow Graph (CFG) that traces the target’s forward and backward execution, providing an effective environment for analyzing the app and finding vulnerabilities. Furthermore, I will explain the vulnerabilities discovered in mobile apps using the developed OS.

Three functions were developed based on the Android Open Source Project (AOSP) in order to analyze and find vulnerabilities of apps in the Android 12 environment.

  • Firstly, a new MRI interpreter was developed that can inspect, trace, and print all the Dalvik instructions and register values executed in an Android app. However, in the Android 12 environment, some Dalvik codes in the app are compiled into native codes and run directly without going through the interpreter. Therefore, it is not possible to inspect all the codes with the developed MRI interpreter alone.
  • Secondly, to overcome this, we controlled the flow of code by the Android Runtime (ART) so that all code is executed as Dalvik code through the MRI interpreter. The interpreter developed in this way was installed on the device. However, in apps that provide sensitive functions, the Runtime Application Self-Protection (RASP) technique is applied to detect OS tampering, among other things, and prevent the app from running in a modified OS environment. To bypass this,
  • Thirdly, we have developed a new kernel for Android, so that all of RASP’s detection functions are automatically bypassed. The new kernel adds a privilege escalation backdoor, SEAndroid bypass, and AVB bypass, enabling RASP to fail to detect OS tampering and allowing security analysts to obtain root privileges for analysis.