System call analysis on Android

Android system call (syscall) analysis is a well researched domain. However, finding information on how to do syscall analysis is a bit difficult. I would like to share some of my experiences on the matter here. For doing android syscall analysis you need Android SDK, installed on your computer. Make sure you install the emulator version you want to use. The recommended version is the one that has the Google Play Services in the image and is for the x86_64 or x86 architecture. If you use the arm build you will find the emulator is quite slow. Once the emulator download completes create an Android Virtual Device (AVD) using Android Studio. It’s pretty easy to use and allows you to customize a lot of things including the graphics emulation options. On windows make sure you have installed the intel provided hardware execution manager software (sdk\extras\intel\Hardware_Accelerated_Execution_Manager\silent_install.bat). Then choose hardware acceleration in the graphics emulation option. On linux and mac systems I didn’t have to install the hardware acceleration software but I had to make sure the right NVIDIA driver for my NVIDIA GPU was installed. The AVD would get stuck otherwise. Once the setup finishes you will have to write some code to launch the emulator like shown below:

#!/bin/bash
adb start-server
emulator -avd nexus6 &
#Use the line below instead the one above if you want the AVD to be clean i.e. factory reset every time you launch the emulator.
#emulator -avd nexus6 -wipe-data &

Now that you have launched the AVD you need to install the app you want to analyze using the Android Debug Bridge (adb) utility. Just do the following for that:

adb install path_to_apk_file

After installing the app you need to start the app and attach strace to the app’s process to do the syscall capture. I found the technique to do this from stackoverflow here. I made one small change in the code to serve the process of capturing syscalls as can be seen below:

am start -n com.packagename.here\.ActivityName && set `ps | grep com.packagename.here` && strace -p $2 -o output_file_path

That’s it! I will write more blogs or update this as I learn more.