RetroSkeleton: Retrofitting Android Apps

Benjamin Davis and Hao Chen

An obvious asset of the Android platform is the tremendous number and
variety of available apps.  There is a less obvious, but potentially
even more important, benefit to the fact that nearly all apps are
developed using a common platform.  We can leverage the relatively
uniform nature of Android apps to allow users to tweak applications
for improved security, usability, and functionality with relative ease
(compared to desktop applications).  We design and implement an
Android app rewriting framework for customizing behavior of existing
applications without requiring source code or app-specific guidance.
Following app-agnostic transformation policies, our system rewrites
applications to insert, remove, or modify behavior.  The rewritten
application can run on any unmodified Android device, without
requiring rooting or other custom software.

This paper describes RetroSkeleton, our app rewriting framework,
including static and dynamic interception of method invocations, and
creating policies that integrate with each target app.  We show that
our system is capable of supporting a variety of useful policies,
including providing flexible fine-grained network access control,
building HTTPS-Everywhere functionality into apps, implementing
automatic app localization, informing users of hidden behavior in
apps, and updating apps depending on outdated APIs.  We evaluate these
policies by rewriting and testing more than one thousand real-world
apps from Google Play.