I'm trying to detect when a specific field in an Android application is accessed or modified. I'm using Java and the Xposed Framework.
Specifically, I want to log when this field is read or written Can anyone suggest an effective approach to accomplish this? I'm particularly interested in solutions using Xposed hooks or Java reflection techniques.
Thank you very much!
Xposed bases on method hooks, but fields can be accessed by DEX code directly by iget* iput* sget* sput* DEX commands. But Xposed isn't able to hook DEX commands, only methods.
Therefore the only way I see is performing a static analysis of the Android app, search for all methods that make read/write operations on a field and collect the methods they are used in. This way you would get at least all field access from within Java code. Access from .so files via JNI wouldn't be covered this way.
Those methods you can hook in Xposed, of course if the methods contains conditional branches you can not know if or if not the field is accessed.
The only alternative would be to decompile the APK to e.g. SAMLI code and then modify every field access by adding additional code that e.g. logs the field access in a way you want.
For JNI access to fields you may use Frida to hook the JNI methods used to access the fields.