App-Ray combines bleeding-edge analysis static and dynamic analysis techniques developed by Fraunhofer AISEC research. It operates on Android bytecode and does not require the source code of an application. Users can choose whether they want to manually interact with the application in the test environment or whether the analysis should run fully automatically an unassisted.
Meta Data Analysis
In a first preparatory step, an app's meta data is assessed, revealing information about the application's permissions, components, and structure. Information gathered in this step sets the scope for the following static analysis.
Static analysis investigates the bytecode and structure of an application withouth executing it. App-Ray features a highly efficient bidirectional data flow tracing, revealing unwanted data flows which can impose violations of security and privacy requirements. Threats to data integrity and secrecy such as SQL injections or unprotected Intents will be identified in this step.
Plain Dynamic Analysis
During plain dynamic analysis, the original app is executed in a test environment and its behavior is analyzed. Screenshots are taken, network traffic is recorded, and a full trace of syscalls and accessed files is created. Private information sent out to advertisement and user profiling platforms is identified. Users can choose whether they wish to interact with the app or whether the analysis runs fully automatically.
Instrumentation makes slight modification to the app in order to extract specific information from it in a hybrid static/dynamic analysis. Guided by potential findings from the static analysis step, specific versions of the app are crafted which automatically jump to relevant parts and provide meaningful information when executed.
Guided by knowledge gained from static analysis and modifications injected by instrumentation, App-Ray's hybrid analysis engine investigates the app's runtime behavior under specific security-relevant conditions and ensures that critical parts of the app are executed and observed. Tracing of individual function calls and register values allow deep insights into the app's behavior. The hybrid engine attempts to provoke execution of vulnerable code fragments and records encrypted traffic in plaintext, allowing inspection for private information.
App-Ray presents its most relevant findings in a clearly structured overview. A drill-down into detailed analysis results and raw data of the analysis is possible. All analysis results are stored in App-Ray and can be retrieved at a later time. In addition, a signed report document can be downloaded.