DroidKex: Fast extraction of ephemeral TLS keys from the memory of Android apps

Fast extraction of ephemeral data from the memory of a running process without affecting the performance of the analyzed program is a problem when the location and data structure layout of the information is not known. In this paper, we introduce DroidKex, an approach for partially reconstructing the semantics of data structures in order to minimize the overhead required for extracting information from the memory of applications. We demonstrate the practicability of our approach by applying it to 86Android applications in order to extract the cryptographic key material of TLS connections.