Article (Scientific journals)
Taming Reflection: An Essential Step Toward Whole-program Analysis of Android Apps
Sun, Xiaoyu; Li, Li; Bissyande, Tegawendé François D Assise et al.
2021In ACM Transactions on Software Engineering and Methodology, 30 (3), p. 1-36
Peer Reviewed verified by ORBi
 

Files


Full Text
DroidRA.pdf
Publisher postprint (1.12 MB)
Download

All documents in ORBilu are protected by a user license.

Send to



Details



Keywords :
Android; static analysis; reflection
Abstract :
[en] Android developers heavily use reflection in their apps for legitimate reasons. However, reflection is also significantly used for hiding malicious actions. Unfortunately, current state-of-the-art static analysis tools for Android are challenged by the presence of reflective calls which they usually ignore. Thus, the results of their security analysis, e.g., for private data leaks, are incomplete, given the measures taken by malware writers to elude static detection. We propose a new instrumentation-based approach to address this issue in a non-invasive way. Specifically, we introduce to the community a prototype tool called DroidRA, which reduces the resolution of reflective calls to a composite constant propagation problem and then leverages the COAL solver to infer the values of reflection targets. After that, it automatically instruments the app to replace reflective calls with their corresponding Java calls in a traditional paradigm. Our approach augments an app so that it can be more effectively statically analyzable, including by such static analyzers that are not reflection-aware. We evaluate DroidRA on benchmark apps as well as on real-world apps, and demonstrate that it can indeed infer the target values of reflective calls and subsequently allow state-of-the-art tools to provide more sound and complete analysis results.
Disciplines :
Computer science
Author, co-author :
Sun, Xiaoyu
Li, Li
Bissyande, Tegawendé François D Assise  ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX
Klein, Jacques ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX
Octeau, Damien
Grundy, John C.
External co-authors :
yes
Language :
English
Title :
Taming Reflection: An Essential Step Toward Whole-program Analysis of Android Apps
Publication date :
July 2021
Journal title :
ACM Transactions on Software Engineering and Methodology
ISSN :
1049-331X
Publisher :
Association for Computing Machinery (ACM), United States
Volume :
30
Issue :
3
Pages :
1-36
Peer reviewed :
Peer Reviewed verified by ORBi
Focus Area :
Security, Reliability and Trust
European Projects :
H2020 - 830892 - SPARTA - Strategic programs for advanced research and technology in Europe
FnR Project :
FNR11693861 - Characterization Of Malicious Code In Mobile Apps: Towards Accurate And Explainable Malware Detection, 2017 (01/06/2018-31/12/2021) - Jacques Klein
Funders :
CE - Commission Européenne [BE]
Available on ORBilu :
since 10 January 2022

Statistics


Number of views
77 (4 by Unilu)
Number of downloads
218 (6 by Unilu)

Scopus citations®
 
12
Scopus citations®
without self-citations
7
OpenCitations
 
4
WoS citations
 
10

Bibliography


Similar publications



Contact ORBilu