[NDroid] On Tracking Information Flows through JNI in Android Applications
See NDroid, JNI, Android.
1 Number of apps used JNI increase recent years. JNI is used for OpenGL ES, OpenSL ES, re-using native codes in C/C++. Percent of using JNI in Android applications increased: 4.52 % → 9.42 % → 16.46 % (June 2013) → 24 % (for Asia apps). TaintDroid and Droidscope are limited in the taint propagation logic related to JNI, because they were not designed specially for apps using NDK. What is specially design in NDroid? Taintdroid under-taints explicit information flows from native code to Dalvik. Droidscope’s overhead is quite high, because it reconstructs OS level and DVM level information only from the machine instructions without exploiting JNI’s semantic information. Moreover, its capability could be restricted by Just-In-Time compilation. Is JIT critical? NDroid can track information flows from selected sources to specified sinks.
2 Read about! Android uses indirect references in native code rather than direct pointers to reference objects. By doing so, when the garbage collector (GC) moves an object, it updates the indirect reference table with the object’s new location. Consequently, native codes will hold valid object pointers every time GC moves objects around. TaintDroid modified Android's application framework and DVM.
Sergey Vartanov, 2007–2020