Command-Line Usage

Sandroid provides a comprehensive command-line interface for automated analysis and batch processing. This mode is ideal for CI/CD integration, scripted analysis, and headless operation.

Basic Syntax

sandroid [OPTIONS]

All command-line options can be combined for customized analysis workflows.

Configuration Options

Configuration File:

sandroid -c config.toml
sandroid --config /path/to/config.yaml

Specify a custom configuration file (TOML, YAML, or JSON format).

Environment Selection:

sandroid --environment development
sandroid --environment testing
sandroid --environment production

Load environment-specific configurations.

Output File:

sandroid -f analysis_results.json
sandroid --file /path/to/results.json

Specify where to save analysis results (default: sandroid.json).

Log Level:

sandroid --loglevel DEBUG
sandroid -ll INFO
sandroid --loglevel WARNING

Set logging verbosity. Options: DEBUG, INFO, WARNING, ERROR, CRITICAL.

Analysis Options

Number of Runs:

sandroid -n 3
sandroid --number 5

Run the analysis multiple times for better accuracy. Minimum is 2 runs for comparison.

Noise Filtering:

sandroid --avoid-strong-noise-filter

Disable noise filtering to capture all changes. This will:

Skip the “dry run” baseline
Capture more system noise
Disable intra-file noise detection
Provide comprehensive but potentially noisy results

Monitoring Options

Network Traffic Capture:

sandroid --network

Enable comprehensive network monitoring:

Capture all network connections
Log DNS queries
Monitor traffic patterns
Generate network analysis report

Process Monitoring:

sandroid --no-processes

Disable process monitoring (enabled by default):

Skip active process tracking
Reduce system overhead
Focus on file and network changes

Socket Monitoring:

sandroid --sockets

Monitor listening sockets during analysis:

Track port bindings
Monitor service startup
Detect network service changes

File System Monitoring:

sandroid --show-deleted
sandroid -d

Perform full filesystem checks to reveal deleted files:

Deep filesystem analysis
Detect file deletion patterns
Higher resource usage but comprehensive coverage

Screenshot Capture:

sandroid --screenshot 5

Take screenshots every N seconds:

Visual documentation of analysis
Capture UI changes and behaviors
Useful for malware analysis and app testing

Specialized Analysis

Hash Calculation:

sandroid --hash

Generate MD5 hashes for all changed and new files:

File integrity verification
Change detection
Evidence preservation

APK Enumeration:

sandroid --apk

List all APKs from the emulator with their hashes:

Inventory installed applications
Track APK modifications
Generate application manifest

TrigDroid Integration:

sandroid --trigdroid com.malware.package

Execute malware triggers for the specified package:

Automated malware activation
Comprehensive trigger pattern execution
Behavioral analysis automation

TrigDroid Configuration:

sandroid --trigdroid-ccf I    # Interactive mode
sandroid --trigdroid-ccf D    # Create default config

Configure TrigDroid Component Coverage Framework:

I - Interactive configuration mode
D - Generate default configuration file

Network Configuration

Network Speed Simulation:

sandroid --degrade-network

Simulate slower network conditions (UMTS/3G):

Lower bandwidth simulation
Increased latency
Test app behavior under poor network conditions

Whitelist Filtering:

sandroid --whitelist /path/to/whitelist.txt

Exclude specific files/paths from analysis results:

Filter out known system noise
Focus on application-specific changes
Customize analysis scope

Advanced Features

AI Analysis:

sandroid --ai

Enable AI-powered analysis and summarization:

Automated threat detection
Behavioral pattern analysis
Natural language analysis summaries
Requires AI optional dependencies

PDF Report Generation:

sandroid --report

Generate comprehensive PDF reports:

Professional forensic reports
Visual analysis summaries
Exportable documentation

Interactive Mode:

sandroid --interactive
sandroid -i

Start in interactive menu mode (same as running sandroid without options).

Common Usage Patterns

Basic Analysis:

# Simple 2-run analysis
sandroid --number 2

# With output file
sandroid -n 2 -f my_analysis.json

Comprehensive Analysis:

# Full feature analysis
sandroid --network --sockets --screenshot 3 --hash --apk --report

# With AI analysis
sandroid --network --ai --report --screenshot 5

Malware Analysis:

# Automated malware analysis
sandroid --trigdroid com.malware.sample \
         --network --screenshot 2 \
         --show-deleted --hash \
         --ai --report

# Manual malware analysis
sandroid --network --sockets --screenshot 3 \
         --avoid-strong-noise-filter \
         --show-deleted --hash

App Development Testing:

# Performance testing
sandroid --number 1 --screenshot 5 --degrade-network

# Feature testing
sandroid --network --sockets --apk

Security Audit:

# Complete security analysis
sandroid --network --sockets --show-deleted \
         --hash --apk --ai --report \
         --avoid-strong-noise-filter

Configuration Integration

Command-line options override configuration file settings:

# Config file sets number_of_runs = 2
# This overrides to 5 runs
sandroid --config analysis.toml --number 5

Environment Variables

All options can be set via environment variables:

export SANDROID_LOG_LEVEL=DEBUG
export SANDROID_ANALYSIS__NUMBER_OF_RUNS=3
export SANDROID_ANALYSIS__MONITOR_NETWORK=true
sandroid

Priority Order

Command-line arguments (highest priority)
Environment variables
Configuration file
Default values (lowest priority)

Output and Results

Result Files

Primary Output: JSON file with complete analysis results
Raw Data: results/ directory with detailed artifacts
Screenshots: Captured device screenshots (if enabled)
Network Capture: PCAP files (if network monitoring enabled)
Logs: Detailed execution logs in ~/.cache/sandroid/logs/

JSON Result Structure:

{
  "timestamp": "2024-08-27T10:30:00Z",
  "configuration": {...},
  "Changed Files": [...],
  "New Files": [...],
  "Deleted Files": [...],
  "Network": {...},
  "Processes": [...],
  "APKs": [...],
  "AI Analysis": {...}
}

Batch Processing

Script Integration:

#!/bin/bash

# Batch analysis of multiple APKs
for apk in *.apk; do
    echo "Analyzing $apk..."
    adb install "$apk"
    sandroid --number 2 --network --report \
             -f "results_$(basename "$apk" .apk).json"
    adb uninstall "$(aapt dump badging "$apk" | grep package | cut -d"'" -f2)"
done

CI/CD Integration:

# In your CI pipeline
- name: Android Security Analysis
  run: |
    # Start emulator
    emulator -avd test_device -no-window -no-audio &
    adb wait-for-device

    # Run analysis
    sandroid --network --ai --report \
             --output-file ci_analysis_results.json

    # Archive results
    tar -czf analysis_results.tar.gz results/ *.json *.pdf

Parallel Analysis:

# Multiple simultaneous analyses
sandroid --config config1.toml -f results1.json &
sandroid --config config2.toml -f results2.json &
sandroid --config config3.toml -f results3.json &
wait

Error Handling

Exit Codes

0 - Analysis completed successfully
1 - Analysis failed with errors
2 - Configuration or setup error

Common Error Scenarios:

# Handle device not found
sandroid --network || echo "Analysis failed - check device connection"

# Timeout protection
timeout 1800 sandroid --network --screenshot 5

# Resource cleanup
trap 'kill $(jobs -p)' EXIT
sandroid --network &

Performance Optimization

Resource Management:

# Lightweight analysis
sandroid --number 1 --no-processes

# High-performance analysis
sandroid --avoid-strong-noise-filter --number 1

Storage Optimization:

# Minimal storage usage
sandroid --number 2  # No screenshots, no network capture

# Custom output location
sandroid --config <(echo 'paths.results_path="/tmp/analysis"')

Debugging and Troubleshooting

Debug Mode:

sandroid --loglevel DEBUG --network

Verbose Output:

SANDROID_LOG_LEVEL=DEBUG sandroid --network 2>&1 | tee analysis.log

Common Issues

Device not found:
```
# Check ADB connection
```
adb devices sandroid –loglevel DEBUG
Permission errors:
```
# Ensure device is rooted
```
adb shell su -c ‘id’
Frida issues:
```
# Test Frida separately
```
frida-ps -U
Configuration problems:
```
# Validate configuration
```
sandroid-config validate

Log Analysis:

# Find specific errors
grep -i error ~/.cache/sandroid/logs/sandroid.log

# Monitor real-time
tail -f ~/.cache/sandroid/logs/sandroid.log

Integration Examples

Jenkins Pipeline:

pipeline {
    agent any
    stages {
        stage('Android Analysis') {
            steps {
                sh '''
                    sandroid --network --ai --report \
                             --file analysis_${BUILD_NUMBER}.json
                '''
                archiveArtifacts artifacts: '*.json,*.pdf,results/**'
            }
        }
    }
}

Docker Integration:

# Dockerfile
FROM sandroid:latest
COPY config.toml /app/
CMD ["sandroid", "--config", "/app/config.toml", "--network", "--report"]

GitHub Actions:

- name: Run Sandroid Analysis
  uses: actions/setup-python@v2
  with:
    python-version: '3.10'
- run: |
    pip install sandroid[ai]
    sandroid --network --ai --report
- uses: actions/upload-artifact@v2
  with:
    name: analysis-results
    path: |
      *.json
      *.pdf
      results/

Best Practices

Always use multiple runs (--number 2 minimum) for accurate change detection
Enable network monitoring (--network) for comprehensive analysis
Use configuration files for consistent analysis parameters
Archive results in structured directories with timestamps
Monitor resource usage during analysis to avoid system overload
Validate configurations before batch processing
Use appropriate log levels for your use case (INFO for production, DEBUG for troubleshooting)