On the unsoundness of static analysis for Android GUIs

Android software presents exciting new challenges for the static analysis community. However, static analyses for Android are typically unsound. This is due to the lack of specification of the Android framework, the continuous evolution of framework features and behavior, and the absence of soundness arguments and studies by program analysis researchers. Our goal is to investigate one important aspect of this problem: the static modeling of control/data flow due to interactions of the user with the application's GUI. We compare the solutions of three existing static analyses - FlowDroid, IccTA, and Gator - with the actual run-time behavior. Specifically, we observe the run-time sequences of callbacks and their parameters, and match them against the static abstractions provided by these analyses. This study provides new insights into the unsoundness of existing analysis techniques. We conclude with open questions and action items for program analysis researchers working in this increasingly important area.

[1]  Atanas Rountev,et al.  Static Reference Analysis for GUI Objects in Android Software , 2014, CGO '14.

[2]  Yan Wang,et al.  Static Window Transition Graphs for Android (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[3]  Samuel P. Midkiff,et al.  What is keeping my phone awake?: characterizing and detecting no-sleep energy bugs in smartphone apps , 2012, MobiSys '12.

[4]  Laurie J. Hendren,et al.  Optimizing Java Bytecode Using the Soot Framework: Is It Feasible? , 2000, CC.

[5]  Tao Xie,et al.  A Grey-Box Approach for Automated GUI-Model Generation of Mobile Applications , 2013, FASE.

[6]  Yan Wang,et al.  Static window transition graphs for Android , 2018, Automated Software Engineering.

[7]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[8]  Peng Wang,et al.  AsDroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction , 2014, ICSE.

[9]  Michael D. Ernst,et al.  Finding errors in multithreaded GUI applications , 2012, ISSTA 2012.

[10]  Haowei Wu,et al.  Automated Test Generation for Detection of Leaks in Android Applications , 2016, 2016 IEEE/ACM 11th International Workshop in Automation of Software Test (AST).

[11]  Étienne Payet,et al.  Static Analysis of Android Programs , 2011, CADE.

[12]  Haowei Wu,et al.  Static detection of energy defect patterns in Android applications , 2016, CC.

[13]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[14]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[15]  Avik Chaudhuri,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[16]  Sam Blackshear,et al.  Droidel: a general approach to Android framework modeling , 2015, SOAP@PLDI.

[17]  Yan Wang,et al.  Profiling the Responsiveness of Android Applications via Automated Resource Amplification , 2016, 2016 IEEE/ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft).

[18]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[19]  Mira Mezini,et al.  Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[20]  Philip Wadler,et al.  Featherweight Java: a minimal core calculus for Java and GJ , 2001, TOPL.

[21]  Peter Müller,et al.  An Experimental Evaluation of Deliberate Unsoundness in a Static Program Analyzer , 2015, VMCAI.

[22]  Iulian Neamtiu,et al.  Targeted and depth-first exploration for systematic testing of android apps , 2013, OOPSLA.

[23]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[24]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[25]  Étienne Payet,et al.  An operational semantics for android activities , 2014, PEPM '14.

[26]  Eric Bodden,et al.  StubDroid: Automatic Inference of Precise Data-Flow Summaries for the Android Framework , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[27]  Jian Lu,et al.  GreenDroid: Automated Diagnosis of Energy Inefficiency for Smartphone Applications , 2014, IEEE Transactions on Software Engineering.

[28]  Yan Wang,et al.  Static Control-Flow Analysis of User-Driven Callbacks in Android Applications , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[29]  Isil Dillig,et al.  Apposcopy: semantics-based detection of Android malware through static analysis , 2014, SIGSOFT FSE.

[30]  Thomas W. Reps,et al.  Program analysis via graph reachability , 1997, Inf. Softw. Technol..

[31]  Jun Yan,et al.  Characterizing and detecting resource leaks in Android applications , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[32]  Armando Solar-Lezama,et al.  Synthesizing Framework Models for Symbolic Execution , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[33]  Yu Lin,et al.  Retrofitting concurrency for Android applications through refactoring , 2014, FSE 2014.

[34]  Matthew L. Dering,et al.  Composite Constant Propagation: Application to Android Inter-Component Communication Analysis , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[35]  J. Foster,et al.  SCanDroid: Automated Security Certification of Android , 2009 .