PScout mapping result to Smali syntax

Dear readers

Today I will be sharing with you a Python script I have written for PScout’s Android permission mapping to Smali’s format. I have also changed the output to follow Axplorer‘s Android permission mapping results in ascending order as I feel it is more optimized when searching for API before mapping to it’s required permission.

While PScout, Axplorer, Arcade, and Stow-away commonly uses for Android Developers to map what permissions they need, it can be used for Android security researchers too. Often when injecting payload during the Android apps repackaging process, the payload is in the form of Smali (Android bytecode/assembly). The syntax of methods in Smali is different from Java. Therefore, a script is required to change the existing available mapping result of PScout into Smali’s syntax.

You may obtain PScout’s Android permission mapping results here.

Things to consider

  1. Not requiring the method’s return type
    Usually, when we map an API/method, we do not need to care if the return type of the API matches. This is due to the overloading concept. Overloading only cares about the number of parameters or the parameter types and not the return type. As long as the API name and the parameters match, we can safely assume that we have found the method we need and get its required permission.

    We format into this:
    Landroid/app/WallpaperManager;->clear() :: android.permission.SET_WALLPAPER

    Instead of with void return type:
    Landroid/app/WallpaperManager;->clear()V :: android.permission.SET_WALLPAPER

2. Each comma in the parameter section is in semi-colon
Note that each comman is in semi-colon and the parameters must end with a semi-colon unless the method’s do not have a parameter.

Example with empty parameter:
Landroid/net/SSLCertificateSocketFactory;->createSocket()
Example with semi-colons:
Landroid/provider/Browser;->addSearchUrl(Landroid/content/ContentResolver;Ljava/lang/String;)

3. Change of primitive types’ syntax
Java’s primitive types’ syntax is very different from Smali’s. For example, boolean = Z, int = I, long = J, etc. The list can be found here on line 18 and 19 or Figure 1 below. Not only that, end of each primitive types must not have “;” even if the letter concatenates with another parameter.

Example of integer in this API-permission mapping:
Landroid/net/SSLCertificateSocketFactory;->createSocket(Ljava/net/InetAddress;ILjava/net/InetAddress;I) :: android.permission.RECEIVE_BOOT_COMPLETED

Figure 1: Primitive types in Java vs in Smali (Credit: themasterofmagik)

4. Change of array syntax
Instead of the usual String[], in Smali, it is [Ljava/lang/String. You can see more explanation here. Multi-dimension array will have more “[“s. Example: [[Ljava/lang/String.

5. “L” at the start of all class names
If you have been studying Smali or doing repackaging of Android apps, you will probably be familiar with all classnames starts with “L”. Example: Ljava/lang/String.

6. Remember to replace all dots to forward slash
Java uses dots (.) while Smali uses (/) so do remember to change that format too.

My script

My script can be found in this pastebin. Not posting on my github as it is not a major project anyway. Below is an example of the some of the output of API22 after converting from PScout’s API22 output to Smali syntax using my script.

Landroid/net/SSLCertificateSocketFactory;->getSupportedCipherSuites() :: android.permission.RECEIVE_BOOT_COMPLETED
Landroid/net/wifi/WifiManager$MulticastLock;->acquire() :: android.permission.CHANGE_WIFI_MULTICAST_STATE
Landroid/net/wifi/WifiManager$MulticastLock;->release() :: android.permission.CHANGE_WIFI_MULTICAST_STATE
Landroid/net/wifi/WifiManager$WifiLock;->acquire() :: android.permission.WAKE_LOCK
Landroid/net/wifi/WifiManager$WifiLock;->release() :: android.permission.WAKE_LOCK
Landroid/net/wifi/WifiManager;->addNetwork(Landroid/net/wifi/WifiConfiguration;) :: android.permission.CHANGE_WIFI_STATE
Landroid/net/wifi/WifiManager;->disableNetwork(I) :: android.permission.CHANGE_WIFI_STATE
Landroid/net/wifi/WifiManager;->disconnect() :: android.permission.CHANGE_WIFI_STATE
Landroid/net/wifi/WifiManager;->enableNetwork(IZ) :: android.permission.CHANGE_WIFI_STATE
Landroid/net/wifi/WifiManager;->getConfiguredNetworks() :: android.permission.ACCESS_WIFI_STATE
Landroid/net/wifi/WifiManager;->getConnectionInfo() :: android.permission.ACCESS_WIFI_STATE
Landroid/net/wifi/WifiManager;->getDhcpInfo() :: android.permission.ACCESS_WIFI_STATE
Landroid/net/wifi/WifiManager;->getScanResults() :: android.permission.ACCESS_WIFI_STATE
Landroid/net/wifi/WifiManager;->getWifiState() :: android.permission.ACCESS_WIFI_STATE
Landroid/net/wifi/WifiManager;->isWifiEnabled() :: android.permission.ACCESS_WIFI_STATE
Landroid/net/wifi/WifiManager;->pingSupplicant() :: android.permission.CHANGE_WIFI_STATE
Landroid/net/wifi/WifiManager;->reassociate() :: android.permission.CHANGE_WIFI_STATE
Landroid/net/wifi/WifiManager;->reconnect() :: android.permission.CHANGE_WIFI_STATE
Landroid/net/wifi/WifiManager;->removeNetwork(I) :: android.permission.CHANGE_WIFI_STATE
Landroid/net/wifi/WifiManager;->saveConfiguration() :: android.permission.CHANGE_WIFI_STATE
Landroid/net/wifi/WifiManager;->setWifiEnabled(Z) :: android.permission.CHANGE_WIFI_STATE
Landroid/net/wifi/WifiManager;->startScan() :: android.permission.CHANGE_WIFI_STATE
Landroid/net/wifi/WifiManager;->updateNetwork(Landroid/net/wifi/WifiConfiguration;) :: android.permission.CHANGE_WIFI_STATE

I hope today’s article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.