134
android Malware and analysis
One of the greatest strengths of the Android application envi-
ronment is the utilization of the Java programming language. e
Android SDK does not oer everything that is available for the stan-
dard Java runtime environment (q), but it is compatible with a signi-
cant fraction of it.
e most important services included are:
• Views—Extensive set of views (visual part of the components).
• Resource Manager—Provides access to resources that are not
in code.
• Activity Manager—Manages the life cycle of applications
and provides a navigation system between them.
• Notication Manager—Allows application to display custom
alerts in the state bar.
• Content Providers—Easy device to access information from
other applications (such as the contacts).
Libraries
is includes a set of libraries in C/C ++, used in various compo-
nents of Android. ey are compiled in a native code processor.
Many of these libraries use open code projects, and some of these
libraries are:
• System C library—A derivation of the BSD library of stan-
dard C (libc), adapted for embedded devices based on Linux.
• Media Framework—Library based on Packet Video’s Open
CORE. Supports reproduction codes and recording of many
video, audio, and images formats, including MPEG4, H.264,
MP3, AAC, AMR, JPG, and PNG.
• Surface Manager—Handles the access at the subsystem of
the graph representation in 2D and 3D.
• Webkit—Supports a modern Web browser employed in an
Android browser and in the Web view. It is the same library
that uses Google Chrome and Apple Safari.
• SGL—2D graphics engine.
• 3D libraries—Implementation based on Open Gl Es 1.0 API.
e libraries use the hardware 3D accelerator if it is available
or the highly optimized 3D projection software.
135
Building your own sandBox
• Free Type—Bitmap and vector rendering fonts.
• SQLite—Powerful and lightweight relational database engine
available for all applications.
• SSL—Provides encryption services of Secure Socket Layer.
Android Runtime
Android runtime is based on the concept of virtual machine used in
Java. Given the limitations of the devices where Android has to run
(low memory and limited processor), we are unable to use a standard
Java virtual machine. Because of this Google decided to create a new
virtual machine that replays at this limitation: the Dalvik virtual
machine.
Dalvik is the name of the virtual machine that uses Android
(DalvikVM), registered, designed, and written by Dan Bornstein and
other Google engineers. In it we nd a great dierence in the Java vir-
tual machine (JVM), this is because the virtual machine by Google is
not based on a cell.
Dalvik.equals (Java)==false
Why “Dalvik?” is name was chosen in honor of Bornstein
Dalvik, a shing village in Eyjaörður (Iceland), where some of his
ancestors lived.
Dalvik VM is an interpreter that only executed the executables for-
mat les, Dex (Dalvik executable). is format is optimized for the
ecient storage of the memory, delegated to the kernel, the managing
threads (multithreading), the memory, and the processes.
e “dx” tool included in the Android SDK may transform the
compiled classes (.class) by a Java language compiler in a Dex language.
e Dalvik VM has also been optimized to run multiple instances
with very low trace.
First, the Dalvik virtual machine takes the le generated by Java
classes and combines them into one or more dex les, which in turn
are compressed in a single le .apk (Android Package) in the device.
In this manner, it reuses duplicate information from multiple les
.class, and reduces by half the space a Jar would occupy (.archive)
(Figure8.4).
136
android Malware and analysis
Second, Google has improved its garbage collection in the Dalvik
virtual machine, but has preferred to skip just-in-time (JIT) in this
version at least. e company justies this choice, saying that many
of the Android core libraries, including graphics libraries, are imple-
menting in C and C++. Similarly, Android provides an optimized C
library for accessing the SQLite database, but this library is encapsu-
lated in a higher level Java API. Because most of the core code is in
.jar .apk
.dex
.class
.class
.class
Heterogeneous
Constant Pool
Heterogeneous
Constant Pool
Other Data
Other Data
Heterogeneous
Constant Pool
Other Data
Other
Data
Method_ids
Constant Pool
Field_ids
Constant Pool
Proto_ids
Constant Pool
Type_ids
Constant Pool
String_ids
Constant Pool
Figure 8.4 Dalvik VM connections.
137
Building your own sandBox
C and C++, Google argued that the impact of JIT compilation would
not be signicant.
Finally, the Dalvik virtual machine employs a dierent type of
mounting for the code generation, in which the registers are used as
the primary units of date storage.
It should be noted that the nal executable code of Android as a result
of the Dalvik virtual machine is not based on Java byte code, instead it is
based on .dex les. is means that it is not possible to execute the Java
byte code directly. As a result, one starts with .class les in Java convert-
ing them to .dex. Included in the Android runtime are “core libraries,”
along with most of the available libraries in Java language.
Broadly, the structure of a .dex le consists of the following parts
(Figure8.5):
“HelloWorld”
“Lcom/google/Blort;”
“printIn”
...
void fn(int)
double fn(object,int)
String fn()
...
PrintStream.printIn(...)
Collection.size()
...
String.offset
Integer.MAX_VAL
UE
...
int
String[ ]
com.google.Blort
...
Header
.apk
.dex
String_ids
Constant Pool
Type_ids
Constant Pool
Proto_ids
Constant Pool
Field_ids
Constant Pool
Method_ids
Constant Pool
Class
Definitions
Data
Figure 8.5 .dex anatomy.
138
android Malware and analysis
• Header
• Chart with the positions of the Strings
• Table positions Types
• Table with the positions of the structures/methods Prototypes
• Chart with the positions of the properties of classes or meth-
ods Fields
• Table positions Methods
• Positions table Data Classes
Except for the Strings table (which is referring to all other tables
as it is the place where every name of classes, methods, functions,
variables, and data types are stored), the rest follows a reverse hierar-
chical order, that is, if we would like to disassemble the .dex les after
obtaining the list of strings, we would get the list of classes, methods,
properties, and elds of the methods. e structure of this method,
which links methods and elds and nally the types, would indicate
the kinds of method elds and types that return the methods. at is
to say, it is a relational structure that has as an objective the maximum
reuse of information, avoiding redundancies and achieving the opti-
mal format for mobile terminals (Figure8.6).
As noted, there are tables in which the position is indicated where
the information that composes the table is usually oset optionally by
a length. ese dates together with the machine code are in the data
section.
Like almost everything, this system has its advantages and objec-
tions. e system of Android devices allows the change to another vir-
tual machine, keeping another in the background, a great advantage
that endows our devices of real multitasking. However, each applica-
tion has to develop in its own virtual machine instead of executing
directly since the operative system causes the whole of the system to
lose uency, and this worsens depending on the number of applica-
tions we have open on the screen or in the background.
In spite of this drawback, Android is a notably uid system, but one
wonders if it may be even more uid. For Google, the answer is yes.
For that reason, Google decided to create a new virtual machine,
called ART (Android runtime), which in the future will replace the
actually Dalvik virtual machine. is new virtual machine pretended
to make operations faster. For this, it will work with a new kind of
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.