TSOpen is a flow-, path- and context-sensitive tool to detect logic bombs in Android applicatons. This is an open implementation of TriggerScope made thanks to the details given in the 2016 Security and Privacy paper by Fratantonio & al.

TSOpen has been developped over the Soot framework which is useful in analyzing statically Java programs thanks to its internal simplified representation of Java bytecode (Jimple). Since TSOpen is made to analyze Android APKs and such applications have an atypical form (with communicating components), it is difficult to model correctly the flow of information. Therefore the modelling part rely on Flowdroid which is a tool to detect data leaks in Android APKs but can also bu used as a library.

I do not provide any pre-built JAR as a release yet. Therefore one has to do the following to get the tool :

git clone https://github.com/JordanSamhi/TSOpen.git

To install the tool, one just has to go into cloned repository and run these maven commands :

cd TSOpen
mvn clean install:install-file -Dfile=libs/soot-infoflow-android-classes.jar -DgroupId=de.tud.sse -DartifactId=soot-infoflow-android -Dversion=2.7.1 -Dpackaging=jar
mvn clean install:install-file -Dfile=libs/soot-infoflow-classes.jar -DgroupId=de.tud.sse -DartifactId=soot-infoflow -Dversion=2.7.1 -Dpackaging=jar
mvn clean install:install-file -Dfile=libs/sootclasses-trunk.jar -DgroupId=ca.mcgill.sable -DartifactId=soot -Dversion=3.3.0 -Dpackaging=jar
mvn clean install

The built JAR will be in "target" folder with the following name :

• TSOpen-X.Y-jar-with-dependencies.jar Where X.Y is the current version of the tool.

To run the tool, simply issue this command :

java -jar TSOpen/target/TSOpen-X.Y-jar-with-dependencies.jar options

Two options are currently required :

java -jar TSOpen/target/TSOpen-X.Y-jar-with-dependencies.jar -f <APK file> -p <path/to/android/platforms>

Indeed, one has to provide a file to analyze and the path to the android platforms folder (in Android SDK folder).

Additional options :

• -e : Take exceptions into account during full path predicate recovery.
• -t <timeout> : Set a timeout in minutes for the tool (60 mins by default). Indeed, the tool faces NP-complete problems, therefore for some apps it can run indefinitely, that is why a timeout is useful in some cases.
• -q : Quiet mode, do not display information messages.
• -o <file_name> : Set an input file for saving results.
• -c <call_graph_algorithm> : Set the call-graph construction algorithm used (SPARK, CHA, RTA, VTA)
• -r : Display raw results in stdout

Results are in this form in the file for an APK :

sha256; pkg_name; count_of_triggers; elapsed_time; has_suspicious_trigger; has_suspicious_trigger_after_control_dependency; has_suspicious_trigger_after_post_filters; dex_size; count_of_classes; count_of_if; if_depth; count_of_objects

Triggers are represented in this form :

%if_stmt, class, methodContainingLogicBomb, sensitiveMethod, componentContainingLogicBomb, sizeOfFullPathPredicate, isMethodContainingLogicBombReachable, guardedBlocksDensity, predicate_0:...:predicate_n

Theses features can be used to compute some data and statistics with a script.

• Maven - Dependency Management

• Jordan Samhi

If one wants to know more about the implementation details please check the related research paper.

This project is licensed under the LGPLv2.1 License - see the LICENSE file for details