ARTist: The Android Runtime Instrumentation and Security Toolkit

With the introduction of Android 5 Lollipop, the Android Runtime (ART) superseded the Dalvik Virtual Machine (DVM) by introducing ahead-of-time compilation and native execution of applications, effectively deprecating seminal works such as TaintDroid that hitherto depend on the DVM. In this paper, we discuss alternatives to overcome those restrictions and highlight advantages for the security community that can be derived from ART's novel on-device compiler dex2oat and its accompanying runtime components. To this end, we introduce ARTist, a compiler-based application instrumentation solution for Android that does not depend on operating system modifications and solely operates on the application layer. Since dex2oat is yet uncharted, our approach required first and foremost a thorough study of the compiler suite's internals and in particular of the new default compiler backend called Optimizing. We document the results of this study in this paper to facilitate independent research on this topic and exemplify the viability of ARTist by realizing two use cases. In particular, we conduct a case study on whether taint tracking can be re-instantiated using a compiler-based app instrumentation framework. Overall, our results provide compelling arguments for the community to choose compiler-based approaches over alternative bytecode or binary rewriting approaches for security solutions on Android.