On the unsoundness of static analysis for Android GUIs

Wang, Yan; Zhang, Hailong; Rountev, Atanas

doi:10.1145/2931021.2931026

Cited by 25 publications

(15 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Flowdroid [7] and IccTA [17] used the lifecycle of components for inter-callback analysis. The manual models can only handle a subset of the callbacks executed in the Android API methods, and can be imprecise [25] and difficult to update as the Android framework evolves. To identify more callback sequences besides manual models, Blackshear et al [9] introduced the jumping framework, which identifies inter-callback control flow constraints via data dependencies between variables located in different callbacks in the apps.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Generating Predicate Callback Summaries for the Android Framework

Perez

2017

2017 IEEE/ACM 4th International Conference on Mobile Software Engineering and Systems (MOBILESoft)

View full text Add to dashboard Cite

Abstract-One of the challenges of analyzing, testing and debugging Android apps is that the potential execution orders of callbacks are missing from the apps' source code. However, bugs, vulnerabilities and refactoring transformations have been found to be related to callback sequences. Existing work on control flow analysis of Android apps have mainly focused on analyzing GUI events. GUI events, although being a key part of determining control flow of Android apps, do not offer a complete picture. Our observation is that orthogonal to GUI events, the Android API calls also play an important role in determining the order of callbacks. In the past, such control flow information has been modeled manually. This paper presents a complementary solution of constructing program paths for Android apps. We proposed a specification technique, called Predicate Callback Summary (PCS), that represents the callback control flow information (including callback sequences as well as the conditions under which the callbacks are invoked) in Android API methods and developed static analysis techniques to automatically compute and apply such summaries to construct apps' callback sequences. Our experiments show that by applying PCSs, we are able to construct Android apps' control flow graphs, including inter-callback relations, and also to detect infeasible paths involving multiple callbacks. Such control flow information can help program analysis and testing tools to report more precise results. Our detailed experimental data is available at: goo.gl/NBPrKs

show abstract

Section: Discussionmentioning

confidence: 99%

“…Without considering API methods, we are unable to obtain all possible paths of callbacks for the apps. Due to its importance, previous studies have used manual approaches to model the control flow of callbacks in the Android API methods [28] [29] [25]. The challenges are that the Android framework evolves fast, and it contains more than 20,000 API methods.…”

mentioning

confidence: 99%

Generating Predicate Callback Summaries for the Android Framework

Perez

2017

2017 IEEE/ACM 4th International Conference on Mobile Software Engineering and Systems (MOBILESoft)

View full text Add to dashboard Cite

show abstract

“…However, this model does not include the callbacks invoked by external events or in API calls made in the app. For instance, the model used for GUI events in FLOWDROID is not as accurate as the GUI model used in WTGs [7]. On the contrary, CCFA integrates callbacks from external events or API calls.…”

Section: Second Approachmentioning

confidence: 99%

“…Trying to use knowledge from the semantics of the system, several studies [4], [5], [9], [27], [32], [33] have use lifecycle of components in Android apps to define intercallback control flow. However, these approaches just focus on components' callbacks and some GUI events and can be incomplete for the rest of the Android API [7]. Besides control flow constraints offered by lifecycle of components, Blackshear et al [34] use data dependencies between callbacks to identify more ordering constraints between callbacks.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Specifying Callback Control Flow of Mobile Apps Using Finite Automata

Perez

2021

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Given the event-driven and framework-based architecture of Android apps, finding the ordering of callbacks executed by the framework remains a problem that affects every tool that requires inter-callback reasoning. Previous work has focused on the ordering of callbacks related to the Android components and GUI events. But the execution of callbacks can also come from direct calls of the framework (API calls). This paper defines a novel program representation, called Callback Control Flow Automata (CCFA), that specifies the control flow of callbacks invoked via a variety of sources. We present an analysis to automatically construct CCFAs by combining two callback control flow representations developed from the previous research, namely, Window Transition Graphs (WTGs) and Predicate Callback Summaries (PCSs). To demonstrate the usefulness of our representation, we integrated CCFAs into two client analyses: a taint analysis using FLOWDROID, and a value-flow analysis that computes source and sink pairs of a program. Our evaluation shows that we can compute CCFAs efficiently and that CCFAs improved the callback coverages over WTGs. As a result of using CCFAs, we obtained 33 more true positive security leaks than FLOWDROID over a total of 55 apps we have run. With a low false positive rate, we found that 22.76% of source-sink pairs we computed are located in different callbacks and that 31 out of 55 apps contain source-sink pairs spreading across components. Thus, callback control flow graphs and inter-callback analysis are indeed important. Although this paper mainly uses Android, we believe that CCFAs can be useful for modeling control flow of callbacks for other event-driven, framework-based systems.

show abstract

EventHandler-Based Analysis Framework for Web Apps Using Dynamically Collected States

Park

Sun

Ryu

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

JavaScript web applications (apps) are prevalent these days, and quality assurance of web apps gets even more important. Even though researchers have studied various analysis techniques and software industries have developed code analyzers for their own code repositories, statically analyzing web apps in a sound and scalable manner is challenging. On top of dynamic features of JavaScript, abundant execution flows triggered by user events make a sound static analysis difficult. In this paper, we propose a novel EventHandler (EH)-based static analysis for web apps using dynamically collected state information. Unlike traditional whole-program analyses, the EH-based analysis intentionally analyzes partial execution flows using concrete user events. Such analyses surely miss execution flows in the entire program, but they analyze less infeasible flows reporting less false positives. Moreover, they can finish analyzing partial flows of web apps that whole-program analyses often fail to finish analyzing, and produce partial bug reports. Our experimental results show that the EH-based analysis improves the precision dramatically compared with a state-of-the-art JavaScript whole-program analyzer, and it can finish analysis of partial execution flows in web apps that the whole-program analyzer fails to analyze within a timeout.

show abstract

On the unsoundness of static analysis for Android GUIs

Cited by 25 publications

References 36 publications

Generating Predicate Callback Summaries for the Android Framework

Generating Predicate Callback Summaries for the Android Framework

Specifying Callback Control Flow of Mobile Apps Using Finite Automata

EventHandler-Based Analysis Framework for Web Apps Using Dynamically Collected States

Contact Info

Product

Resources

About