DroidRA: taming reflection to support whole-program analysis of Android apps

Li Li, Tegawendé F. Bissyandé, Damien Octeau, Jacques Klein

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

79 Citations (Scopus)

Abstract

Android developers heavily use reflection in their apps for legitimate reasons, but also significantly for hiding malicious actions. Unfortunately, current state-of-the-art static analysis tools for Android are challenged by the presence of reflective calls which they usually ignore. Thus, the results of their security analysis, e.g., for private data leaks, are inconsistent given the measures taken by malware writers to elude static detection. We propose the DroidRA instrumentation-based approach to address this issue in a non-invasive way. With DroidRA, we reduce the resolution of reflective calls to a composite constant propagation problem. We leverage the COAL solver to infer the values of reflection targets and app, and we eventually instrument this app to include the corresponding traditional Java call for each reflective call. Our approach allows to boost an app so that it can be immediately analyzable, including by such static analyzers that were not reflection-aware. We evaluate DroidRA on benchmark apps as well as on real-world apps, and demonstrate that it can allow state-of-the-art tools to provide more sound and complete analysis results.

Original languageEnglish
Title of host publicationProceedings of the 25th International Symposium on Software Testing and Analysis
EditorsAndreas Zeller, Abhik Roychoudhury
Place of PublicationNew York NY USA
PublisherAssociation for Computing Machinery (ACM)
Pages318-329
Number of pages12
ISBN (Electronic)9781450343909
DOIs
Publication statusPublished - 2016
Externally publishedYes
EventInternational Symposium on Software Testing and Analysis 2016 - Saarbrucken, Germany
Duration: 18 Jul 201620 Jul 2016
Conference number: 25th
http://issta2016.cispa.saarland/

Conference

ConferenceInternational Symposium on Software Testing and Analysis 2016
Abbreviated titleISSTA 2016
CountryGermany
CitySaarbrucken
Period18/07/1620/07/16
Internet address

Keywords

  • Android
  • DroidRA
  • Reflection
  • Static analysis

Cite this