Java Support

angr also supports symbolically executing Java code and Android apps! This also includes Android apps using a combination of compiled Java and native (C/C++) code.

Warning

Java support is experimental! Contribution from the community is highly encouraged! Pull requests are very welcomed!

We implemented Java support by lifting the compiled Java code, both Java and DEX bytecode, leveraging our Soot Python wrapper: pysoot. pysoot extracts a fully serializable interface from Android apps and Java code (unfortunately, as of now, it only works on Linux). For every class of the generated IR (for instance, SootMethod), you can nicely print its instructions (in a format similar to Soot shimple) using print() or str().

Note

Windows and macOS support is available on a branch. It should pass all tests and generally work well, but due to issues integrating JPype into CI infrastructure, it has not yet been merged.

We then leverage the generated IR in a new angr engine able to run code in Soot IR: angr/engines/soot/engine.py. This engine is also able to automatically switch to executing native code if the Java code calls any native method using the JNI interface.

Together with the symbolic execution, we also implemented some basic static analysis, specifically a basic CFG reconstruction analysis. Moreover, we added support for string constraint solving, modifying claripy and using the CVC4 solver.

How to install

Java support requires the pysoot package, which is not included in the default angr installation. You can install it from GitHub using pip:

Alternatively, pysoot can be installed with the setup script in angr-dev:

Analyzing Android apps.

Analyzing Android apps (.APK files, containing Java code compiled to the DEX format) requires the Android SDK. Typically, it is installed in <HOME>/Android/SDK/platforms/platform-XX/android.jar, where XX is the Android SDK version used by the app you want to analyze (you may want to install all the platforms required by the Android apps you want to analyze).

Examples

There are multiple examples available: