Finder: Automatic ICC Data Reconstruction for Long-Term Runtime Semantics

In Android, both system services and apps are composed of components, and the inter-component communication (ICC) is therefore vital for representing the system states of the past runtime. Conventional approaches focus on inspecting the program behaviors of apps in the laboratory environment, but not suitable for a long-time period, system-wide activities. Analysts consider that ICC preserves much runtime semantics, so we propose Finder, an automatic ICC data reconstruction system to provide a long-term and comprehensive view of the past runtime. We decouple the program analysis on ICC from runtime monitoring thereby decreasing the runtime overhead. Finder applies transpiling techniques to generate the data resolvers compatible with all off-the-shelf Android version. The generated data resolvers can reconstruct a high-level, system-wide runtime information, and therefore the result is useful for digital forensic, program analysis, and auditing.