How to set up FANS for Android 10 or later versions?

The README only covers Android 9.0.0_r46, so you'd need to adapt the AOSP source, proprietary binaries, and configuration manually, which may involve trial and error due to changes in system services and build processes.

FANS vs AFL for Android fuzzing?

FANS is specialized for Android native system services with dependency inference, while AFL is a general-purpose fuzzer. FANS provides deeper system-level insights but requires more setup; AFL is easier to deploy but less targeted for service interfaces.

What kind of vulnerabilities has FANS found in practice?

Based on the USENIX Security paper, FANS has uncovered security flaws in Android system services, but specific CVE details aren't listed in the README. It's designed to find memory corruption and logic bugs in native components.

Can FANS fuzz third-party Android services or custom ROMs?

It's primarily built for AOSP native services, so fuzzing third-party services might require modifications to the interface collector and model extractor to handle non-standard implementations.

How long does it take to run FANS from setup to results?

Setup alone can take days due to AOSP compilation (which is time-consuming with many cores), and fuzzing runtime depends on the scope, but the heavy resource requirements mean it's not a quick tool.

Is FANS suitable for mobile security certifications or compliance testing?

It can be useful for deep security assessments, but the complex setup and lack of out-of-the-box reports might not align with standardized certification processes that require faster, more automated tools.

FANS — Android Native Service Fuzzer

What is FANS?

FANS is a fuzzing tool specifically designed for discovering security vulnerabilities in Android native system services. It provides a complete framework with four integrated components that work together to collect service interfaces, extract their models, infer dependencies, and execute targeted fuzzing. The tool helps security researchers identify weaknesses in critical Android components that could be exploited by attackers.

Target Audience

Security researchers, Android system developers, and penetration testers who need to analyze and test the security of Android's native system services. It's particularly valuable for those conducting security assessments of Android devices and custom ROMs.

Value Proposition

FANS offers a specialized, systematic approach to Android system service fuzzing that goes beyond generic fuzzing tools. Its multi-component architecture provides deep insight into service interfaces and their dependencies, enabling more effective vulnerability discovery compared to traditional fuzzing methods.

FANS: Fuzzing Android Native System Services

Use Cases

Best For

Security researchers analyzing Android system service vulnerabilities
Penetration testing of Android devices and custom ROMs
Android system developers validating service interface security
Academic research on Android security and fuzzing techniques
Device manufacturers conducting security assessments
Finding zero-day vulnerabilities in Android native components

Not Ideal For

Teams conducting quick vulnerability scans or penetration testing with tight deadlines
Developers fuzzing userland Android applications or non-native components
Projects targeting the latest Android versions without modification efforts
Organizations lacking in-house expertise in AOSP compilation and system-level debugging

Pros & Cons

Pros

Comprehensive Interface Analysis

Automatically collects and extracts detailed models of Android native system service interfaces, enabling deep structural understanding for effective fuzzing, as highlighted in the four-component architecture.

Dependency-Aware Fuzzing

Infers dependencies between service interfaces, allowing for more targeted and realistic test case generation, which is critical for uncovering complex vulnerabilities in system services.

Academic Rigor

Backed by a peer-reviewed paper presented at USENIX Security'20, indicating thorough research and validation of the methodology, adding credibility to its approach.

Detailed Configuration

Provides extensive customization options through the fans.cfg file, allowing users to tailor the setup to specific environments and requirements, as detailed in the config section.

Cons

Extremely Heavy Setup

Requires compiling AOSP twice (with and without ASan), significant resources (1T SSD disk, many cores), and manual modifications to system files, making it impractical for quick or lightweight use.

Limited Version Support

Tested only on Android 9.0.0_r46 for Pixel 2 XL, so compatibility with newer Android versions or other devices is uncertain and may require substantial adaptation.

Sparse and Fragmented Documentation

The README is brief and points to separate readme files for each component, which may lack step-by-step guidance or troubleshooting help, increasing the learning curve.

Potential Device Risks

The disclaimer warns of uncertain outcomes, and modifying system properties (e.g., ro.adb.secure) could brick devices or require manual recovery, posing risks for non-experts.

Frequently Asked Questions

What is FANS?

Target Audience

Value Proposition

Use Cases

Best For

Security researchers analyzing Android system service vulnerabilities
Penetration testing of Android devices and custom ROMs
Android system developers validating service interface security
Academic research on Android security and fuzzing techniques
Device manufacturers conducting security assessments
Finding zero-day vulnerabilities in Android native components

Not Ideal For

Teams conducting quick vulnerability scans or penetration testing with tight deadlines
Developers fuzzing userland Android applications or non-native components
Projects targeting the latest Android versions without modification efforts
Organizations lacking in-house expertise in AOSP compilation and system-level debugging

Pros & Cons

Pros

Comprehensive Interface Analysis

Dependency-Aware Fuzzing

Infers dependencies between service interfaces, allowing for more targeted and realistic test case generation, which is critical for uncovering complex vulnerabilities in system services.

Academic Rigor

Backed by a peer-reviewed paper presented at USENIX Security'20, indicating thorough research and validation of the methodology, adding credibility to its approach.

Detailed Configuration

Provides extensive customization options through the fans.cfg file, allowing users to tailor the setup to specific environments and requirements, as detailed in the config section.

Cons

Extremely Heavy Setup

Requires compiling AOSP twice (with and without ASan), significant resources (1T SSD disk, many cores), and manual modifications to system files, making it impractical for quick or lightweight use.

Limited Version Support

Tested only on Android 9.0.0_r46 for Pixel 2 XL, so compatibility with newer Android versions or other devices is uncertain and may require substantial adaptation.

Sparse and Fragmented Documentation

The README is brief and points to separate readme files for each component, which may lack step-by-step guidance or troubleshooting help, increasing the learning curve.

Potential Device Risks

The disclaimer warns of uncertain outcomes, and modifying system properties (e.g., ro.adb.secure) could brick devices or require manual recovery, posing risks for non-experts.

Frequently Asked Questions

FANS

What is FANS?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Found a gem we're missing?

FANS

What is FANS?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Found a gem we're missing?