Haly is a framework that can automatically detect the usage of hardening techniques (RASP) in Android and iOS apps using static and dynamic analysis. It was developed as part of a master thesis at the University of Twente and a research paper at IEEE EuroS&P 2025 (Preprint available here: https://download.vusec.net/papers/haly_eurosp25.pdf).
If you use this work in whole or in part for academic purposes please cite:
Steinböck, M., Troost, J., van Beijnum, W., Seredynski, J., Bos, H., Lindorfer, M., & Continella, A. SoK: Hardening Techniques in the Mobile Ecosystem—Are We There Yet?, Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P), 2025.
Beijnum, A. C. W. Haly: Automated evaluation of hardening techniques in Android and iOS apps. MS thesis. University of Twente, 2023.
An overview on the detailed checks we implemented to detect hardening techniques can be found in CHECKS.md.
We implement checks for the following hardening techniques:
| Hardening Technique | Android | iOS |
|---|---|---|
| Anti-tampering | ✅ | ✅ |
| Hooking detection | ✅ | ✅ |
| Debug detection | ✅ | ✅ |
| Emulation detection | ✅ | ✅ |
| Root/Jailbreak detection | ✅ | ✅ |
| Keylogger Protection | ✅ | ✅ |
| Screenreader Protection | ✅ | ❌ |
| Secure connections | ✅ | ✅ |
The dataset we used in the paper can be found here: cross-platform app dataset. The dataset that was used in the initial thesis can be found in DATASET_THESIS.md.
The results of our analysis can be found in the Releases.
You will need the following packages to run the analyzer:
Furthermore, the following packages are needed for tools the analyzer uses:
- Java
- re2
- codesearch
- Radare2
- adb
- Wireshark and tshark
- pcapfix
- pkg-config
- A C++ compiler
You should be able to install all these tools using the following commands on Ubuntu:
sudo apt install python3 python3-venv python3-pip default-jre libre2-dev codesearch adb wireshark tshark pcapfix pkg-config g++
git clone https://github.com/radareorg/radare2
cd radare2 ; sys/install.shIf you want to make changes to the frida typescript code, you will also need NodeJS and npm. In order to have multiple NodeJS versions installed simultaniously, consider using fnm. We tested our code with NodeJS version 22.16.0 and npm version 10.9.2.
To install all dependencies run
pip install -r requirements.txtor using poetry
poetry installNote: we encountered some issues when running tcpdump within a virtual environment, so we recommend not using a venv, if possible.
If you want to make changes to the Frida TypeScript code, you will also need to install the npm dependencies:
npm installYou can view the help menu of the analyzer to view all available options:
python3 main.py --help
Usage: main.py [OPTIONS] COMMAND [ARGS]...
Options:
-c, --config PATH YAML config file to use [required]
-m, --multithread INTEGER Number of threads to use for analysis
-f, --force Force analysis of apps, even if a step has
already been completed
-t, --thread TEXT Thread number and total threads e.g. (1/4), takes
a certain subset of the apps to analyze
-r2, --r2-server TEXT Address of the radare2 server to use (use "local"
or a ssh host)
-a, --android Only analyze Android apps
-i, --ios Only analyze iOS apps
-d, --dev TEXT Device serial for ADB or UDID for iOS
--help Show this message and exit.
Commands:
download Download apps
dynamic Run dynamic analysis
prepare Prepare apps for analysis by decompiling them and indexing...
report Show HTML report
run Run full pipeline by downloading apps, and running static and...
static Run static analysisTo run the analyzer, you will need to provide a config file. For this, you can copy config.example.yaml and adjust the options to your needs. Please refer to the comments in the config file for more information on the options.
The analyzer has the following workflow:
- Download: Download apk files or ipa files of the apps listed in the configuration file from the Play Store or the App Store.
- Prepare: Decompile the apk files or extract and decrypt the ipa files, and index these files using codesearch.
- Static analysis: Run static analysis tools on the decompiled code to find hardening techniques.
- Dynamic analysis: Run dynamic analysis tools on the apps using Frida to find hardening techniques.
- Report: Start a webserver with a HTML report of the results.
npm run buildThis project contains tools from the following projects:
- Apktool by Connor Tumbleson
- gplay-downloader by İlker Avcı
- ipatool by Majd Alfhaily
Furthermore, inspiration was taken from:
- RaspScan by Jan Seredynski
- app-tls-pinning by Amogh Pradeep et al. (Paper)
- cross-platform-matching by Magdalena Steinböck et al.