Resolving Conditional Implicit Calls to Improve Static and Dynamic Analysis in Android Apps

An implicit call is a mechanism that triggers the execution of a method m without a direct call to m in the code being analyzed. For instance, in Android apps the Thread.start() method implicitly executes the Thread.run() method. These implicit calls can be conditionally triggered by programmer-specified constraints that are evaluated at run time. For example, the JobScheduler.schedule() method can be called to implicitly execute the JobService.onStartJob() method only if the device’s battery is charging. Such conditional implicit calls can effectively disguise logic bombs, posing significant challenges for both static and dynamic software analyses. Conservative static analysis may produce false-positive alerts due to over-approximation, while less conservative approaches might overlook potential covert behaviors, which is a serious concern in security analysis. Dynamic analysis may fail to generate the specific inputs required to activate these implicit call targets.

To address these challenges, we introduce Archer, a tool designed to resolve conditional implicit calls and extract the constraints triggering execution control transfer. Our evaluation reveals that (1) implicit calls are prevalent in Android apps; (2) Archer enhances app models’ soundness beyond existing static analysis methods; and (3) Archer successfully infers constraint values, enabling dynamic analyzers to detect and assess conditionally triggered implicit calls through improved code coverage.