AQL
The Android App Analysis Query Language (AQL) consists of two main parts, namely AQL-Queries and AQL-Answers. AQL-Queries enable us to ask for Android specific analysis subjects in a general, tool independent way. The grammar defining AQL-Queries can be found here.
Example 1: AQL-Queries
The following exemplary query can be used to get all Flows
(e.g. taint flows) inside one app:
Flows IN App(’/path/to/example.apk’) ?
it is also possible to ask more specifically (or to filter the result):
Flows FROM
Statement(’getDeviceId()’)
->Method(’onCreate(...)’)
->Class(’MainActivity’)
->App(’/path/to/example1.apk’)
TO
Statement(’sendTextMessage(...)’)
->Method(’onCreate(...)’)
->Class(’MainActivity’)
->App(’/path/to/example2.apk’)
?
Different operators are available to merge and further filter queries as well as methods to match intents and intent-filters.
More information about AQL-Queries can be found here.
Similarly, AQL-Answers are used to represent analysis results in a standardized form.
The syntax of AQL-Answers is defined via an XML schema definition (XSD).
Example 2: AQL-Answers
An AQL-Answer to the query from above could be (shortened):
<answer>
<flows>
<flow>
<reference type="from">
<statement>... getDeviceId() ...</statement>
<method>... onCreate(...) ...</method>
<classname>... MainActivity</classname>
<app>
<file>.../DirectLeak1.apk</file>
<hashes>...</hashes>
</app>
</reference>
<reference type="to">
...
sendTextMessage(...)
...
</reference>
</flow>
</flows>
</answer>
It shows a taint flow from a getDeviceId()
statement to a sendTextMessage(...)
statement.
AQL-System
The associated AQL-System takes AQL-Queries as input and outputs AQL-Answers.
To do so, it requires a configuration in form of an .xml file that describes
- which tools are avaliable in a certain instance of the AQL-System and how to execute these,
- which queries can be answered by which tool and
- how to convert a tool’s result into an AQLAnswer.
Example 3
For instance, an AQL-System can be configured to execute FlowDroid in case of intra-app flow questions and IccTA in case of inter-app questions, since FlowDroid does not support such questions. Considering the example from above the AQL-System recognizes that FlowDroid is available and able to answer the query regarding flows inside one app only. Consequently, FlowDroid is launched and its result is converted into an AQL-Answer.
Usage
Our wiki contains tutorials how to use/extend the AQL-System: here
(Along with version 2.0.0 we added video tutorials)
Execution
One tutorial deals with a simple run-through. It guides the user how to install, configure and execute an AQL-System, which is setup to use Amandroid. In general the AQL-System can be started with the following command (Launch parameters):
java -jar AQL-System-2.0.0.jar
Development
Library
The AQL-System or only its internal datastructure (AQL-Lib) can be used by or in other tools. We offer to options for integration:
- Maven
<dependency>
<groupId>de.foellix</groupId>
<artifactId>AQL-System</artifactId>
<version>2.0.0</version>
</dependency>
- .jar Import
All releases can be found here.
Building from source code (Terminal)
- Clone repository
- Navigate to repository
cd AQL-System
- Use Maven to build:
mvn
- Build is stored inside the project’s directory:
AQL-System/target/build
- Build is stored inside the project’s directory:
- Run the build (Launch parameters):
cd AQL-System/target/build java -jar AQL-System-2.0.0.jar
Building from source code (Eclipse)
- Import Maven project to Eclipse
- Build pom.xml as Maven project
- Build is stored inside the project’s directory:
projectDirectory/target/build
- Build is stored inside the project’s directory:
- Run
de.foellix.aql.ui.cli.CommandLineInterface
as Java Application (Launch parameters)
Publications
- Do Android Taint Analysis Tools Keep Their Promises? (Felix Pauck, Eric Bodden, Heike Wehrheim)
ESEC/FSE 2018 https://dl.acm.org/citation.cfm?id=3236029 - Together Strong: Cooperative Android App Analysis (Felix Pauck, Heike Wehrheim)
ESEC/FSE 2019 https://dl.acm.org/citation.cfm?id=3338915 - TaintBench: Automatic real-world malware benchmarking of Android taint analyses (Linghui Luo, Felix Pauck, …) EMSE 2022 https://link.springer.com/article/10.1007%2Fs10664-021-10013-5
License
The AQL-System is licensed under the GNU General Public License v3 (see LICENSE).
Contact
Felix Pauck (FoelliX)
Paderborn University
fpauck@mail.uni-paderborn.de
http://www.FelixPauck.de
Links
- The AQL-System is part of BREW: https://github.com/FoelliX/BREW
- which is used in the ReproDroid toolchain: https://github.com/FoelliX/ReproDroid
- and in the CoDiDroid framework: https://github.com/FoelliX/CoDiDroid