Generating Predicate Callback Summaries for the Android Framework

One of the challenges of analyzing, testing and debugging Android apps is that the potential execution orders of callbacks are missing from the apps' source code. However, bugs, vulnerabilities and refactoring transformations have been found to be related to callback sequences. Existing work on control flow analysis of Android apps have mainly focused on analyzing GUI events. GUI events, although being a key part of determining control flow of Android apps, do not offer a complete picture. Our observation is that orthogonal to GUI events, the Android API calls also play an important role in determining the order of callbacks. In the past, such control flow information has been modeled manually. This paper presents a complementary solution of constructing program paths for Android apps. We proposed a specification technique, called Predicate Callback Summary (PCS), that represents the callback control flow information (including callback sequences as well as the conditions under which the callbacks are invoked) in Android API methods and developed static analysis techniques to automatically compute and apply such summaries to construct apps' callback sequences. Our experiments show that by applying PCSs, we are able to construct Android apps' control flow graphs, including inter callback relations, and also to detect infeasible paths involving multiple callbacks. Such control flow information can help program analysis and testing tools to report more precise results. Our detailed experimental data is available at: http://www.cs.iastate.edu/~weile/toolsdata/SummarizeAndroidFramework/lithium.html.

[1]  Ondrej Lhoták,et al.  Averroes: Whole-Program Analysis without the Whole Program , 2013, ECOOP.

[2]  Ondrej Lhoták,et al.  Application-Only Call Graph Construction , 2012, ECOOP.

[3]  Yepang Liu,et al.  Where has my battery gone? Finding sensor related energy black holes in smartphone applications , 2013, 2013 IEEE International Conference on Pervasive Computing and Communications (PerCom).

[4]  Ondrej Lhoták,et al.  Comparing call graphs , 2007, PASTE '07.

[5]  Ondrej Lhoták,et al.  Scaling Java Points-to Analysis Using SPARK , 2003, CC.

[6]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[7]  Satish Narayanasamy,et al.  Race detection for event-driven mobile applications , 2014, PLDI.

[8]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[9]  Yan Wang,et al.  Static Window Transition Graphs for Android (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[10]  Samuel P. Midkiff,et al.  What is keeping my phone awake?: characterizing and detecting no-sleep energy bugs in smartphone apps , 2012, MobiSys '12.

[11]  Rajiv Gupta,et al.  Refining data flow information using infeasible paths , 1997, ESEC '97/FSE-5.

[12]  Barbara G. Ryder,et al.  Automatic construction of accurate application call graph with library call abstraction for Java: Research Articles , 2007 .

[13]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[14]  Rastislav Bodík,et al.  Path-sensitive value-flow analysis , 1998, POPL '98.

[15]  Atanas Rountev,et al.  Interprocedural Dataflow Analysis in the Presence of Large Libraries , 2006, CC.

[16]  Atanas Rountev,et al.  IDE Dataflow Analysis in the Presence of Large Object-Oriented Libraries , 2008, CC.

[17]  Eric Bodden,et al.  StubDroid: Automatic Inference of Precise Data-Flow Summaries for the Android Framework , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[18]  Alexander Aiken,et al.  Modelgen: mining explicit information flow specifications from concrete executions , 2015, ISSTA.

[19]  Sam Blackshear,et al.  Selective control-flow abstraction via jumping , 2015, OOPSLA.

[20]  Yan Wang,et al.  On the unsoundness of static analysis for Android GUIs , 2016, SOAP@PLDI.

[21]  Eran Yahav,et al.  Alias Analysis for Object-Oriented Programs , 2013, Aliasing in Object-Oriented Programming.

[22]  Yan Wang,et al.  Static Control-Flow Analysis of User-Driven Callbacks in Android Applications , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[23]  Barbara G. Ryder,et al.  Automatic construction of accurate application call graph with library call abstraction for Java , 2007, J. Softw. Maintenance Res. Pract..

[24]  Jacques Klein,et al.  Dexpler: converting Android Dalvik bytecode to Jimple for static analysis with Soot , 2012, SOAP '12.

[25]  Yu Lin,et al.  Study and Refactoring of Android Asynchronous Programming (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[26]  Michael Weiss The transitive closure of control dependence: the iterated join , 1992, LOPL.

[27]  Christopher Krügel,et al.  EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework , 2015, NDSS.

[28]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[29]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.