JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis

[en] Native code is now commonplace within Android app packages where it co-exists and interacts with Dex bytecode through the Java Native Interface to deliver rich app functionalities. Yet, state-of-the-art static analysis approaches have mostly overlooked the presence of such native code, which, however, may implement some key sensitive, or even malicious, parts of the app behavior. This limitation of the state of the art is a severe threat to validity in a large range of static analyses that do not have a complete view of the executable code in apps. To address this issue, we propose a new advance in the ambitious research direction of building a unified model of all code in Android apps. The JuCify approach presented in this paper is a significant step towards such a model, where we extract and merge call graphs of native code and bytecode to make the final model readily-usable by a common Android analysis framework: in our implementation, JuCify builds on the Soot internal intermediate representation. We performed empirical investigations to highlight how, without the unified model, a significant amount of Java methods called from the native code are ``unreachable'' in apps' call-graphs, both in goodware and malware. Using JuCify, we were able to enable static analyzers to reveal cases where malware relied on native code to hide invocation of payment library code or of other sensitive code in the Android framework. Additionally, JuCify's model enables state-of-the-art tools to achieve better precision and recall in detecting data leaks through native code. Finally, we show that by using JuCify we can find sensitive data leaks that pass through native code.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Trustworthy Software Engineering (TruX)

Disciplines :

Computer science

Author, co-author :

SAMHI, Jordan ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

GAO, Jun ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

DAOUDI, Nadia ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Graux, Pierre; University of Lille

Hoyez, Henri; Technische Universität Kaiserslautern

Sun, Xiaoyu; Monash University

ALLIX, Kevin ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

BISSYANDE, Tegawendé François D Assise ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

KLEIN, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

External co-authors :

yes

Language :

English

Title :

JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis

Publication date :

21 May 2022

Event name :

44th International Conference on Software Engineering (ICSE 2022)

Event place :

Pittsburgh, United States

Event date :

from 21-05-2022 to 29-05-2022

Audience :

International

Main work title :

44th International Conference on Software Engineering (ICSE 2022)

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

Additional URL :

https://www.computer.org/csdl/proceedings-article/icse/2022/922100b232/1Ems0ZAhf6U

FnR Project :

FNR14596679 - Dissecting Android Applications Using Static Analysis, 2020 (01/03/2020-31/10/2023) - Jordan Samhi

Funders :

FNR - Fonds National de la Recherche

Available on ORBilu :

since 04 January 2022

Statistics

Number of views

255 (37 by Unilu)

Number of downloads

90 (9 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

publications

supporting

mentioning

contrasting

Smart Citations

Citing PublicationsSupportingMentioningContrasting

View Citations

See how this article has been cited at scite.ai

scite shows how a scientific paper has been cited by providing the context of the citation, a classification describing whether it supports, mentions, or contrasts the cited claim, and a label indicating in which section the citation was made.

Bibliography

Vitor Afonso, Antonio Bianchi, Yanick Fratantonio, Adam Doupé, Mario Polino, Paulo de Geus, Christopher Kruegel, and Giovanni Vigna. 2016. Going native: Using a large-scale analysis of android apps to create a practical native-code sandboxing policy. In The Network and Distributed System Security Symposium. 1-15.
Shahid Alam, Zhengyang Qu, Ryan Riley, Yan Chen, and Vaibhav Rastogi. 2017. DroidNative: Automating and optimizing detection of Android native code malware variants. Computers & Security 65 (2017), 230-246. https: //doi. org/10. 1016/j. cose. 2016. 11. 011
Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: Collecting Millions of Android Apps for the Research Community. In Proceedings of the 13th International Conference on Mining Software Repositories (Austin, Texas) (MSR '16). ACM, New York, NY, USA, 468-471. https://doi. org/ 10. 1145/2901739. 2903508
Androguard. [n. d. ]. https://androguard. readthedocs. io. Accessed April 2021.
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-Sensitive and Lifecycle-Aware Taint Analysis for Android Apps. SIGPLAN Not. 49, 6 (June 2014), 259-269. https://doi. org/10. 1145/2666356. 2594299
Ulrich Bayer, Andreas Moser, Christopher Kruegel, and Engin Kirda. 2006. Dynamic analysis of malicious code. Journal in Computer Virology 2, 1 (2006), 67-77.
J. Bergeron, M. Debbabi, M. M. Erhioui, and B. Ktari. 1999. Static analysis of binary code to isolate malicious behaviors. In Proceedings. IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE'99). 184-189. https://doi. org/10. 1109/ENABL. 1999. 805197
Young-Hyun Choi, Min-Woo Park, Jung-Ho Eom, and Tai-Myoung Chung. 2015. Dynamic binary analyzer for scanning vulnerabilities with taint analysis. Multimedia Tools and Applications 74, 7 (2015), 2301-2320.
C. Cifuentes and A. Fraboulet. 1997. Intraprocedural static slicing of binary executables. In 1997 Proceedings International Conference on Software Maintenance. 188-195. https://doi. org/10. 1109/ICSM. 1997. 624245
Luis Cruz, Rui Abreu, John Grundy, Li Li, and Xin Xia. 2019. Do Energy-oriented Changes Hinder Maintainability?. In The 35th IEEE International Conference on Software Maintenance and Evolution (ICSME 2019).
Anusha Damodaran, Fabio Di Troia, Corrado Aaron Visaggio, Thomas H Austin, and Mark Stamp. 2017. A comparison of static, dynamic, and hybrid analysis for malware detection. Journal of Computer Virology and Hacking Techniques 13, 1 (2017), 1-12.
Josselin Feist, Laurent Mounier, and Marie-Laure Potet. 2014. Statically detecting use after free on binary code. Journal of Computer Virology and Hacking Techniques 10, 3 (2014), 211-217.
H. Fereidooni, M. Conti, D. Yao, and A. Sperduti. 2016. ANASTASIA: ANdroid mAlware detection using STatic analySIs of Applications. In 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS). 1-5. https://doi. org/10. 1109/NTMS. 2016. 7792435
Ira R Forman, Nate Forman, and John Vlissides Ibm. 2004. Java reflection in action. (2004).
George Fourtounis, Leonidas Triantafyllou, and Yannis Smaragdakis. 2020. Identifying Java Calls in Native Code via Binary Scanning. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis (Virtual Event, USA) (ISSTA 2020). Association for Computing Machinery, New York, NY, USA, 388-400. https://doi. org/10. 1145/3395363. 3397368
Y. Fratantonio, A. Bianchi, W. Robertson, E. Kirda, C. Kruegel, and G. Vigna. 2016. TriggerScope: Towards Detecting Logic Bombs in Android Applications. In 2016 IEEE Symposium on Security and Privacy (SP). 377-396. https://doi. org/10. 1109/ SP. 2016. 30
Yanick Fratantonio, Antonio Bianchi, William Robertson, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2016. Triggerscope: Towards detecting logic bombs in android applications. In 2016 IEEE symposium on security and privacy (SP). IEEE, 377-396.
JNI Functions. [n. d. ]. https://docs. oracle. com/Javase/7/docs/technotes/guides/jni/ spec/functions. html. Accessed April 2021.
Michael Furr and Jeffrey S. Foster. 2005. Checking Type Safety of Foreign Function Calls. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (Chicago, IL, USA) (PLDI '05). Association for Computing Machinery, New York, NY, USA, 62-72. https://doi. org/10. 1145/ 1065010. 1065019
Michael Grace, Yajin Zhou, Qiang Zhang, Shihong Zou, and Xuxian Jiang. 2012. Riskranker: scalable and accurate zero-day android malware detection. In Proceedings of the 10th international conference on Mobile systems, applications, and services. 281-294.
Laune C. Harris and Barton P. Miller. 2005. Practical Analysis of Stripped Binary Code. SIGARCH Comput. Archit. News 33, 5 (Dec. 2005), 63-68. https://doi. org/ 10. 1145/1127577. 1127590
Y. Hu, Y. Zhang, J. Li, H. Wang, B. Li, and D. Gu. 2018. BinMatch: A Semantics-Based Hybrid Approach on Binary Code Clone Analysis. In 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME). 104-114. https: //doi. org/10. 1109/ICSME. 2018. 00019
JNI. [n. d. ]. https://docs. oracle. com/Javase/8/docs/technotes/guides/jni/. Accessed April 2021.
Zeliang Kan, Haoyu Wang, Lei Wu, Yao Guo, and Daniel Xiapu Luo. 2019. Automated deobfuscation of Android native binary code. arXiv preprint arXiv:1907. 06828 (2019).
Hyunjae Kang, Jaewook Jang, Aziz Mohaisen, and Huy Kang Kim. 2015. Detecting and Classifying Android Malware Using Static Analysis along with Creator Information. International Journal of Distributed Sensor Networks 11, 6 (2015), 479174. https://doi. org/10. 1155/2015/479174 arXiv:https://doi. org/10. 1155/2015/479174
Joris Kinable and Orestis Kostakis. 2011. Malware classification based on call graph clustering. Journal in computer virology 7, 4 (2011), 233-245.
Pingfan Kong, Li Li, Jun Gao, Tegawendé F Bissyandé, and Jacques Klein. 2019. Mining Android crash fixes in the absence of issue-and change-tracking systems. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis. 78-89.
Pingfan Kong, Li Li, Jun Gao, Kui Liu, Tegawendé F Bissyandé, and Jacques Klein. 2018. Automated testing of android apps: A systematic literature review. IEEE Transactions on Reliability 68, 1 (2018), 45-66.
J. Kroustek and P. Matula. 2018. RetDec: An Open-Source Machine-Code Decompiler. [talk]. Presented at Pass the SALT 2018, Lille, FR.
C. Lattner and V. Adve. 2004. LLVM: a compilation framework for lifelong program analysis transformation. In International Symposium on Code Generation and Optimization, 2004. CGO 2004. 75-86. https://doi. org/10. 1109/CGO. 2004. 1281665
S. Lee, H. Lee, and S. Ryu. 2020. Broadening Horizons of Multilingual Static Analysis: Semantic Summary Extraction from C Code for JNI Program Analysis. In 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE). 127-137.
Young Jun Lee, Sang-Hoon Choi, Chulwoo Kim, Seung-Ho Lim, and Ki-Woong Park. 2017. Learning binary code with deep learning to detect software weakness. In KSII The 9th International Conference on Internet (ICONI) 2017 Symposium.
Li Li, Kevin Allix, Daoyuan Li, Alexandre Bartel, Tegawendé F Bissyandé, and Jacques Klein. 2015. Potential Component Leaks in Android Apps: An Investigation into a new Feature Set for Malware Detection. In The 2015 IEEE International Conference on Software Quality, Reliability & Security (QRS).
Li Li, Alexandre Bartel, Tegawendé F Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick Mc-Daniel. 2015. Iccta: Detecting inter-component privacy leaks in android apps. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. IEEE, 280-291.
Li Li, Tegawendé F Bissyandé, Damien Octeau, and Jacques Klein. 2016. Droidra: Taming reflection to support whole-program analysis of android apps. In Proceedings of the 25th International Symposium on Software Testing and Analysis. 318-329.
Li Li, Tegawendé F. Bissyandé, Mike Papadakis, Siegfried Rasthofer, Alexandre Bartel, Damien Octeau, Jacques Klein, and Yves Le Traon. 2017. Static analysis of android apps: A systematic literature review. Information and Software Technology 88 (2017), 67-95. https://doi. org/10. 1016/j. infsof. 2017. 04. 001
Lixin Li and Chao Wang. 2013. Dynamic analysis and debugging of binary code for security applications. In International Conference on Runtime Verification. Springer, 403-423.
Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor Van Der Veen, and Christian Platzer. 2014. Andrubis-1, 000, 000 apps later: A view on current Android malware behaviors. In 2014 third international workshop on building analysis datasets and gathering experience returns for security (BADGERS). IEEE, 3-17.
Alwin Maier, Hugo Gascon, Christian Wressnegger, and Konrad Rieck. 2019. TypeMiner: Recovering types in binary programs using machine learning. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 288-308.
Pallavi Maiya, Aditya Kanade, and Rupak Majumdar. 2014. Race detection for Android applications. ACM SIGPLAN Notices 49, 6 (2014), 316-325.
H. B. Mann and D. R. Whitney. 1947. On a Test of Whether one of Two Random Variables is Stochastically Larger than the Other. Ann. Math. Statist. 18, 1 (03 1947), 50-60. https://doi. org/10. 1214/aoms/1177730491
Ke Mao, Mark Harman, and Yue Jia. 2016. Sapienz: Multi-objective automated testing for Android applications. In Proceedings of the 25th International Symposium on Software Testing and Analysis. 94-105.
Xiaozhu Meng and Barton P. Miller. 2016. Binary Code is Not Easy. In Proceedings of the 25th International Symposium on Software Testing and Analysis (Saarbrücken, Germany) (ISSTA 2016). Association for Computing Machinery, New York, NY, USA, 24-35. https://doi. org/10. 1145/2931037. 2931047
Gail C. Murphy, David Notkin, William G. Griswold, and Erica S. Lan. 1998. An Empirical Study of Static Call Graph Extractors. ACM Trans. Softw. Eng. Methodol. 7, 2 (April 1998), 158-191. https://doi. org/10. 1145/279310. 279314
DOOP Github page. [n. d. ]. https://bitbucket. org/yanniss/doop/src/master/. Accessed April 2021.
Native Scanner Github page. [n. d. ]. https://github. com/plast-lab/native-scanner. Accessed April 2021.
Dorottya Papp, Levente Buttyán, and Zhendong Ma. 2017. Towards semiautomated detection of trigger-based behavior for software security assurance. In Proceedings of the 12th International Conference on Availability, Reliability and Security. 1-6.
N. Peiravian and X. Zhu. 2013. Machine Learning for Android Malware Detection Using Permission and API Calls. In 2013 IEEE 25th International Conference on Tools with Artificial Intelligence. 300-305. https://doi. org/10. 1109/ICTAI. 2013. 53
Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, and Sotiris Ioannidis. 2014. Rage against the virtual machine: hindering dynamic analysis of android malware. In Proceedings of the Seventh European Workshop on System Security. 1-6.
C. Qian, X. Luo, Y. Shao, and A. T. S. Chan. 2014. On Tracking Information Flows through JNI in Android Applications. In 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 180-191. https://doi. org/10. 1109/DSN. 2014. 30
Radare2. [n. d. ]. https://github. com/radareorg/radare2. Accessed April 2021.
Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, and Eric Bodden. 2016. Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques. In NDSS.
Claudio Rizzo. 2020. Static Flow Analysis for Hybrid and Native Android Applications. Ph. D. Dissertation. Royal Holloway-University of London.
Kevin A Roundy and Barton P Miller. 2010. Hybrid analysis and control of malware. In International Workshop on Recent Advances in Intrusion Detection. Springer, 317-338.
J. Sahs and L. Khan. 2012. A Machine Learning Approach to Android Malware Detection. In 2012 European Intelligence and Security Informatics Conference. 141-147. https://doi. org/10. 1109/EISIC. 2012. 34
J. Samhi, A. Bartel, T. F. Bissyande, and J. Klein. 2021. RAICC: Revealing Atypical Inter-Component Communication in Android Apps. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). IEEE Computer Society, Los Alamitos, CA, USA, 1398-1409. https://doi. org/10. 1109/ICSE43902. 2021. 00126
Yan Shoshitaishvili, RuoyuWang, Christopher Salls, Nick Stephens, Mario Polino, Audrey Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2016. SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In IEEE Symposium on Security and Privacy.
Skylot. [n. d. ]. JadX: Dex to Java decompiler, https:// github. com/ skylot/ jadx. Accessed August 2021.
Ting Su, Guozhu Meng, Yuting Chen, Ke Wu, Weiming Yang, Yao Yao, Geguang Pu, Yang Liu, and Zhendong Su. 2017. Guided, stochastic model-based GUI testing of Android apps. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. 245-256.
Mengtao Sun and Gang Tan. 2014. NativeGuard: Protecting Android Applications from Third-Party Native Libraries. In Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks (Oxford, United Kingdom) (WiSec '14). Association for Computing Machinery, New York, NY, USA, 165-176. https://doi. org/10. 1145/2627393. 2627396
Mingshen Sun, Tao Wei, and John C. S. Lui. 2016. TaintART: A Practical Multi-Level Information-Flow Tracking System for Android RunTime. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Vienna, Austria) (CCS '16). Association for Computing Machinery, New York, NY, USA, 331-342. https://doi. org/10. 1145/2976749. 2978343
Kimberly Tam, Salahuddin J Khan, Aristide Fattori, and Lorenzo Cavallaro. 2015. Copperdroid: Automatic reconstruction of android malware behaviors. In Ndss.
ShinHwei Tan, Zhen Dong, Xiang Gao, and Abhik Roychoudhury. 2018. Repairing crashes in android apps. In 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE). IEEE, 187-198.
Oguzhan Topgul. [n. d. ]. Android Malware Evasion Techniques-Emulator Detection. https://www. oguzhantopgul. com/2014/12/android-malware-evasiontechniques. html Accessed December 2020.
Virus Total. 2021. Virus total free online virus, malware and url scanner. https: //www. virustotal. com/en
Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 2010. Soot: A Java Bytecode Optimization Framework. In CASCON First Decade High Impact Papers (Toronto, Ontario, Canada) (CASCON '10). IBM Corp., USA, 214-224. https://doi. org/10. 1145/1925805. 1925818
Raja Vallee-Rai and Laurie J Hendren. 1998. Jimple: Simplifying Java bytecode for analyses and transformations. (1998).
S. Wang, P. Wang, and D. Wu. 2017. Semantics-Aware Machine Learning for Function Recognition in Binary Code. In 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME). 388-398. https://doi. org/10. 1109/ ICSME. 2017. 59
Fengguo Wei, Xingwei Lin, Xinming Ou, Ting Chen, and Xiaosong Zhang. 2018. JN-SAF: Precise and Efficient NDK/JNI-Aware Inter-Language Static Analysis Framework for Security Vetting of Android Applications with Native Code. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS '18). Association for Computing Machinery, New York, NY, USA, 1137-1150. https://doi. org/10. 1145/3243734. 3243835
Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. 2014. Amandroid: A Precise and General Inter-Component Data Flow Analysis Framework for Security Vetting of Android Apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (Scottsdale, Arizona, USA) (CCS '14). Association for Computing Machinery, New York, NY, USA, 1329-1341. https://doi. org/10. 1145/2660267. 2660357
M. White, M. Tufano, C. Vendome, and D. Poshyvanyk. 2016. Deep learning code fragments for code clone detection. In 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE). 87-98.
Dong-Jie Wu, Ching-Hao Mao, Te-En Wei, Hahn-Ming Lee, and Kuo-Ping Wu. 2012. Droidmat: Android malware detection through manifest and api calls tracing. In 2012 Seventh Asia Joint Conference on Information Security. IEEE, 62-69.
Haowei Wu, Shengqian Yang, and Atanas Rountev. 2016. Static detection of energy defect patterns in Android applications. In Proceedings of the 25th International Conference on Compiler Construction. 185-195.
XAMARIN. [n. d. ]. https://dotnet. microsoft. com/apps/xamarin. Accessed April 2021.
Yinxing Xue, Guozhu Meng, Yang Liu, Tian Huat Tan, Hongxu Chen, Jun Sun, and Jie Zhang. 2017. Auditing anti-malware tools by evolving android malware and dynamic loading technique. IEEE Transactions on Information Forensics and Security 12, 7 (2017), 1529-1544.
Z. Yang and M. Yang. 2012. LeakMiner: Detect Information Leakage on Android with Static Taint Analysis. In 2012 Third World Congress on Software Engineering. 101-104. https://doi. org/10. 1109/WCSE. 2012. 26
Hailong Zhang, Haowei Wu, and Atanas Rountev. 2016. Automated test generation for detection of leaks in Android applications. In Proceedings of the 11th International Workshop on Automation of Software Test. 64-70.
Qingchuan Zhao, Chaoshun Zuo, Brendan Dolan-Gavitt, Giancarlo Pellegrino, and Zhiqiang Lin. 2020. Automatic Uncovering of Hidden Behaviors From Input Validation in Mobile Apps. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1106-1120.
Cong Zheng, Shixiong Zhu, Shuaifu Dai, Guofei Gu, Xiaorui Gong, Xinhui Han, and Wei Zou. 2012. Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices. 93-104.