Experimental Android Hacking Using Reflection

SeongJae Park, Heon Yeom,Seoul National University

Hidden Android Features

Unsecure, Or Unmatured Features Hidden From Developers

Need Such Features On Lots Of Researching

Rooting / System Modification

● Pros○ Able to Use Hidden Features○ No Limitation At All

● Cons○ Environment Is Different With Real Market Device

How Android Hide Features

3rd Party Application Use SDK Framework Interface

Built-in Application Uses Built-in Framework Interface

SDK Framework Interface != Built-in Framework Interface

Android Basic StructureBuilt-in Application3rd Party Developer

Application

SDK Framework Interface Built-in Framework Interface

On-Device Framework

Binder

System Process System Process System Process

Device

Java Reflection

● Examine or Modify Behavior Of Application○ Type Checking○ Debugging○ Test

Java Reflection

● Pros○ Unlimited Freedom

● Cons○ Performance Overhead○ Weak Security Available○ Unexpected Side-Effect

Android Hacking Using Reflection

Change SDK Framework Interface into On-Device Framework Interface

Built-in Application3rd Party Developer Application

SDK Framework Interface Built-in Framework Interface

On-Device Framework

Reflection

Android Hacking Using ReflectionTelephonyMaanger telephonyManager = (TelephonyManager)getSystemService( Context.TELEPHONY_SERVICE);try { Class c = Class.forName(telephonyManager. getClass().getName()); Method m = c.getDeclaredMethod("getITelephony"); m.setAccessible(true);

ITelephony telephony = (ITelephony)m.invoke( telephonyManager); telephony.endCall();} catch (Throwable e) {}

Restriction Of Reflection Using Hack

● Performance Overhead

● May Not Success On Every Machine○ Manufacturer’s Device Use Modified Android

● May Not Success On Latest Android