Abstract:
The purpose of this thesis is to design a software library that is able to analyze and monitor the different types of data that an Android device makes available (system calls and their sequences, sensors data as accelerometer and gyroscope, settings of the device that we can set etc.) and through these, this library will be able to identify anomalies that can be indicators of security problems or indicators of the presence of a possible debugger. To implement all of the above I had to design and build an architecture consisting of an Android library which has to be imported into the application to be traced to extract data and a web server which receives and analyzes data from the Android application and if it finds any suspected sequence or some anomalies, through an intermediary interface, an administrator decides which operation to take as stopping the network communication of that device because it is considered compromised or putting that device in a devices warning level list. From these information, a model was created consisting of all possible combinations that identify normal, or rather ideal, behavior of an Android application and this is used then to be able to compare each future execution. It can be observed that information collected in the model during the training phase are extremely useful for detecting if an external actor is trying to debug, tamper or violate the application since such attempts would alter its normal behavior, execution speed etc.
