Agrigento: Identify privacy leaks in Android apps
Category : Blog
Agrigento is a tool to identify privacy leaks in Android apps by performing black-box differential analysis on the network traffic. It performs root cause analysis of non-determinism in the network behavior of Android apps.
Agrigento works in two steps: first, Agrigento establishes a baseline of the network behavior of an app; then, modifies sources of private information, such as the device ID and location, and detects privacy leaks by observing deviations in the resulting network traffic. The main contribution of this work is to make black-box differential analysis practical when applied to modern Android apps.
Agrigento is able to eliminate the different sources of non-determinism by intercepting calls from the app to certain Android API calls and recording their return values, and in some cases replacing them (either by replaying previously seen values or by returning constant values).
- It records the timestamps generated during the first run of each app and replays the same values in the further runs.
- It records the random identifiers (UUID) generated by the app.
- It records the plaintext and ciphertext values whenever the app performs encryption.
- The instrumented environment sets a fixed seed for all random number generation functions.
- It replaces the values of system-related performance measures (e.g., free memory, available storage space) with a set of constants.
Agrigento requires other modules to be installed on the Android device:
- [CryptoHooker] – Collect contentextual information.
- [Changer] – Modify the values of private information sources.
- [JustTrustMe] – Handle certificate pinning.
- [Android Mock-location] – Allow to set mock location through ADB.
Agrigento Network Behavior:
Agrigento looks for privacy leaks at all levels of the tree, i.e., in all parts of the HTTP request: the domain, path, key, and values, as well as the headers and the payload. In the current implementation Agrigento includes parsers for application/x-www-form-urlencoded, application/json, and any content that matches a HTTP query format. However, it can be easily extended with parsers for further content types.
Most Popular Training Courses at Indian Cyber Security Solutions
Cybersecurity services that can protect your company: