The number of mobile applications is rising and Android still holds a large market share.
As the number of applications grows, we need better tools to understand how applications work and to analyze them. There is always the question if we can trust mobile applications to do only what they are allowed to do and if they are really secure when transmitting our personal information to different servers. In the presentation some runtime techniques will be discussed and a tool will be released that offers two approaches to analyze Android applications. The basic principle of the first approach is injecting a small piece of code into APK and then connecting to it and using Java Reflection to runtime modify value, call methods, instantiate classes and create own scripts to automate work. The second approach offers much the same functionality, but can be used without modifying an application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying APK's isn't necessary. The tool is Java based and simple to use, but offers quite a few new possibilities for security engineers and pentesters.