ARTist - A Novel Instrumentation Framework for Reversing and Analyzing Android Apps and the Middleware

Conference:  BlackHat USA 2018



The presentation discusses the benefits of using the open-source Android Runtime Instrumentation for Security and Testing (ARTIST) framework for automated releases and testing of Android applications.
  • ARTIST provides easy deployment, clarity for instrumentation, and is non-invasive
  • ARTIST can be used to inject code into arbitrary processes, allowing for complete control over the application
  • ARTIST can be used for personal process systems and method tracing
  • ARTIST can replace the system compiler and run a system server
The presenter demonstrated how ARTIST can be used to inject code into the Reddit application, allowing for complete control over the app and access to sensitive information such as user data and ad information.


The Android Runtime (ART), even though introduced in Android 5 already, has not received much attention in the security community. However, its on-device compiler dex2oat, which mostly deprecated the Dalvik VM, leaves a gap by rendering well-known tools such as TaintDroid and its descendents inapplicable. But it also provides new opportunities for security researchers. On top of dex2oat, we created ARTist, the Android instrumentation and security toolkit, which is a novel instrumentation framework that allows for arbitrarily code modification of installed apps, the system server and the Java framework code. Similar to existing approaches, such as Frida and XPosed, ARTist can be used for app analysis and reversing (record traffic, modify files and databases), as well as modding and customization. However, it occupies a sweet spot in the design spaces of instrumentation tools since it does not break the app signature and hence modified applications still receive updates without compromising on security, it can be deployed on rooted stock devices beginning from Android 6 and it allows for instrumentation on the instruction level.We provide developers with a module SDK to get started with writing own instrumentation routines right away. Since no complicated system of hooks or another runtime are required, it is highly efficient and neatly integrates with the compiler's optimization framework. We created a range of interesting modules that showcase different use cases, from the large-scale instrumentation of each single method in the system server (25k methods) to simple, on-point injections in third party apps and even full compartmentalization of advertisement libraries. Our tool is open sourced at https://github.com/Project-ARTist and https://artist.cispa.saarland. ARTist is still in its early stages, so we hope to collect a lot of feedback and create an active community.



Post a comment

Related work

Conference:  Defcon 31
Authors: Ryan Johnson Senior Director, R&D at Quokka, Mohamed Elsabagh Senior Director, R&D at Quokka, Angelos Stavrou Founder and Chief Scientist at Quokka