One of significant mobile app forensic analysis problems is the app evidence extraction from the device. Given the fact that mobile apps could generate more than 19K files in a device [6], simply manually inspecting every file is time consuming and may miss critical piece of evidence. A recent forensic analysis study [38] shows that fuzzing tools (a.k.a. fuzzer), which programmatically produce interactions with mobile apps, can be helpful when they are paired with sandbox environments for studying the app’s runtime forensic behaviors, by which forensic practitioners summarize the patterns of evidential data (such as GPS coordinates) that could greatly help with future forensic investigation. However, we found there is no study of how reliable do fuzzing tools help with improving the efficiency of mobile app forensic analysis.
We, therefore, propose AFuzzShield, which aims at verifying the mobile app program coverage under the scenario when the app has the anti-fuzzing technologies applied. By analyzing the runtime information of mobile app interaction traces, it can prevent real-world apps from being exercised by fuzzers and minimizes the overhead of human usages. Our proposed approach exploits a statistical model to distinguish the difference between fuzzer and human patterns, and therefore it does not require graphical user interface (GUI) injections and is compatible with any real-world apps with touchable/clickable GUIs. We evaluate AFuzzShield on apps from AndroTest, a popular benchmark app dataset for testing various fuzzers, and the results demonstrate that, the mobile app program coverage can be significantly affected when it has anti-fuzzing technique, AFuzzShield, deployed, which results in missing mobile app evidential data patterns in the analysis (e.g. 70% of apps show promising results when having AFuzzShield applied under Monkey).
An Anti-Fuzzing Approach for Android Apps
Conference/Workshop:
Advances in Digital Forensics XIX. Digital Forensics 2023.
Advances in Digital Forensics XIX. Digital Forensics 2023.
Journal: IFIP Advances in Information and Communication Technology,
Published: 2023
Primary Author: Chris Chao-Chun Cheng
Secondary Authors: Li Lin, Chen Shi, Yong Guan
Research Area: Digital
Related Resources
Forensic Analysis of Android Cloud SDKs
This presentation is from the 76th Annual Conference of the American Academy of Forensic Sciences (AAFS), Denver, Colorado, February 19-24, 2024.
The Impact of Multi-Camera Smart Phones on Source Camera Identification
An investigator has a questioned image from an unknown source and wants to determine whether it came from a camera on a person of interest’s smartphone. This scenario is referred…
Likelihood ratios for changepoints in categorical event data with applications in digital forensics
We investigate likelihood ratio models motivated by digital forensics problems involving time-stamped user-generated event data from a device or account. Of specific interest are scenarios where the data may have…
Producing Datasets: Capturing Images on Multi-Camera Smartphones for Source Camera Identification
This poster introduces the new CSAFE Multi-camera Smartphone Image Database and describes how the image were collected and reviewed.