Awesome
conbeerlib
conbeerlib is an Android library for detecting if an app is running inside a virtual container.
This is based on the work done by me and Gautam, presented at Android Security Symposium 2020 - slides.
This repo contains conbeerlib and a wrapper application, conware, which we used for our research.
Checks
Currently following checks are implemented:
- Permissions in Manifest - There can be a mismatch between the permissions granted and originally requested by an application.
- Process Memory - Check /proc/self/maps for presence of artifacts not belonging to the app's expected filepath.
- Storage Dir - The assigned storage path for an app inside virtual container is different, as compared to when installed directly on Android device.
- Environment Variables - Virtual containers set various environment variables.
- Running App Services - There can be other services running than what started by an application.
- App Components - Enable app components dynamically may not always work in virtual containers.
Usage
ConBeer cb = new ConBeer(context, appServiceNames);
if (cb.isContainer()) {
// container is present
}else{
// container not present
}
Add following code in onResume()
method of your application. This code is responsible for dynamically enabling a dummy app component, which is used for testing presence of virtual containers. The component is defined in conbeerlib's manifest file.
ComponentName componentName = new ComponentName(this.getApplicationContext(), FakeBroadcastReceiver.class);
this.getPackageManager().setComponentEnabledSetting(componentName,
PackageManager.COMPONENT_ENABLED_STATE_ENABLED,
PackageManager.DONT_KILL_APP);
Limitations
This library is tested only with a limited number of virtual containers and may not be able to detect all them currently. Also, given the madness of Android device diversity, there is a good chance of false positives.
Please feel free to open an issue when you encounter such problems.
References
- ANTI-PLUGIN: DON’T LET YOUR APP PLAY AS AN ANDROID PLUGIN
- Android Plugin Becomes a Catastrophe to Android Ecosystem
- Parallel Space Traveling: A Security Analysis of App-LevelVirtualization in Android
License
This project is released under the MIT License.