0

I'm trying to detect the leakage of private information by inspecting the smali code of Android applications. My strategy so far is.. searching the code that substitutes a personal information (e.g. IMEI, phone number) into a variable, then trace that variable until the point where it's sent to the internet or where it's not used anymore.

Are there any nice tools for doing this?

I've tried

  • apkinspector (http://code.google.com/p/apkinspector/)
  • androguard (http://code.google.com/p/androguard/)
  • androwarn (https://github.com/maaaaz/androwarn)

, but none of these are likely to be able to do what I want.

Caleb Fenton
  • 873
  • 11
  • 18
Ryo
  • 1,823
  • 3
  • 23
  • 38

1 Answers1

0

unpack classes.dex, use dex2jar and inspect with jd-gui, it's somehow simpler, if jd-gui doesn't crash

you can also search for calls to functions needed to obtain some info, like imei How to get the device's IMEI/ESN programmatically in android?

Community
  • 1
  • 1
sherpya
  • 4,598
  • 2
  • 28
  • 48
  • Thank you for your comment. But I want to do with smali code, because some information could be lost while converting classes.dex into java source code. – Ryo Oct 25 '12 at 13:35
  • make a simple app that calls android.telephony.TelephonyManager.getDeviceId(), then apktool d the.apk then open the smali e search for invoke-virtual/invoke-direct call, you will have a pattern that gets imei in smali – sherpya Oct 25 '12 at 17:51