Abstract
The recent adoption of dynamic features such as Java reflection and Android dynamic code downloading (RDCL) coupled with recent security attacks that can be detected only at runtime have led to higher usage of hybrid analysis to address dependability and security concerns. While effective, however, hybrid analysis can be inefficient due to a multi-step process involving static analysis, code instrumentation, and runtime information logging. As such, existing hybrid analysis techniques can work during code development and testing, but are too slow for production and security vetting.
In this paper, we introduce ReHAna, a hybrid analysis framework for Android apps. We designed our framework to perform hybrid analysis efficiently through the use of a Virtual Class-Loader (VCL), which enables incremental program analysis. We then conducted a study to assess the program analysis performance of using VCL and found that it yields several benefits over the existing compiler-based program analysis approach. We also illustrated the hybrid analysis capability of ReHAna by implementing a technique to detect and analyze dynamically loaded components based on reflection and dynamic code loading mechanisms in Android apps. We compared the performance of ReHAna against that of StaDynA, a hybrid analysis approach that performs the same task. Our empirical evaluation shows that ReHAna is as effective as StaDynA but also significantly more efficient and scalable.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Available at https://github.com/androguard/androguard.
- 2.
- 3.
- 4.
We are currently experimenting with a different, recently published technique [6] to see if it can exercise the 19 apps for which Monkey could not reach any RDCL call sites. If we are successful, we will include results on these in the next version of this paper.
- 5.
The specific class name is Ldk/nindroid/rss/ClickHandler$MultitouchHandler.
References
Abraham, J., Jones, P., Jetley, R.: A formal methods-based verification approach to medical device software analysis, February 2010. https://www.embedded.com/a-formal-methods-based-verification-approach-to-medical-device-software-analysis/
Barros, P., et al.: Static analysis of implicit control flow: resolving Java reflection and android intents (t). In: Proceedings of the 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE), ASE 2015, pp. 669–679, Lincoln, NE, USA, November 2015
Bodden, E., Sewe, A., Sinschek, J., Oueslati, H., Mezini, M.: Taming reflection: aiding static analysis in the presence of reflection and custom class loaders. In: Proceedings of the International Conference on Software Engineering (ICSE), pp. 241–250, Honolulu, Hawaii, USA, May 2011
Bond, M.D., Coons, K.E., McKinley, K.S.: PACER: proportional detection of data races. In: Proceedings of the Conference on Programming Language Design and Implementation, pp. 255–268, Toronto, Ontario, Canada, June 2010
Chandra, B.: A technical view of the open SSL heartbleed vulnerability, May 2014. https://www.ibm.com/developerworks/community/files/form/anonymous/api/library/38218957-7195-4fe9-812a-10b7869e4a87/document/ab12b05b-9f07-4146-8514-18e22bd5408c/media
Chen, Y., et al.: Mass discovery of android traffic imprints through instantiated partial execution. In: Proceedings of CCS, pp. 815–828, Dallas, Texas, USA (2017)
Choudhary, S.R., Gorla, A., Orso, A.: Automated test input generation for android: are we there yet? In: Proceedings of the 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE), ASE 2015, pp. 429–440 (2015)
Davis, B., Chen, H.: Retroskeleton: retrofitting android apps. In: Proceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2013, pp. 181–192, New York, NY, USA. ACM (2013)
Desnos, A.: Androguard: reverse engineering, malware and goodware analysis of android applications (2013). https://github.com/androguard/androguard
Duan, Y., et al.: Things you may not know about android (Un)packers: a systematic study based on whole-system emulation. In: Proceedings of Network and Distributed System Security Symposium, NDSS, San Diego, California, USA, February 2018
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638, New York, NY, USA. ACM (2011)
GeeksforGeeks. ClassLoader in Java, May 201r. https://www.geeksforgeeks.org/classloader-in-java/
Google. Lint (2019). http://tools.android.com/tips/lint
Jim, T.: Legacy C/C++ code is a nuclear waste nightmare that will make you WannaCry, June 2017. http://trevorjim.com
Landman, D., Serebrenik, A., Vinju, J.: Challenges for static analysis of java reflection - literature review and empirical study. In: Proceedings of the International Conference on Software Engineering, Buenos Aires, Argentina, May 2017
Li, L., Bissyandé, T.F., Octeau, D., Klein, J.: Droidra: taming reflection to support whole-program analysis of android apps. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, ISSTA 2016, pp. 318–329, Saarbrücken, Germany (2016)
Li, Y., Tan, T., Xue, J.: Understanding and analyzing java reflection. ACM Trans. Softw. Eng. Methodol. 28(2), 1–50 (2019)
Liang, S., Might, M., Horn, D.V.: Android: malware analysis of android with user-supplied predicates. CoRR, abs/1311.4198 (2013)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium, SSYM 2005, vol. 14 (2005)
Oracle Corp. Loading, linking, and initializing, November 2019. https://docs.oracle.com/javase/specs/jvms/se7/html/jvms-5.html
Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In: Proceedings of NDSS, vol. 14, pp. 23–26, San Diego, CA (2014)
Ponomariov, P.: Shedun: adware/malware family threatening your Android device, September 2015. https://blog.avira.com/shedun/
Rasthofer, S., Arzt, S., Miltenberger, M., Bodden, E.: Harvesting runtime values in android applications that feature anti-analysis techniques. In: Proceedings of NDSS (2016)
Rus, S., Rauchwerger, L., Hoeflinger, J.: Hybrid analysis: static & dynamic memory reference analysis. Int. J. Parallel Program. 31(4), 251–283 (2003)
Sawin, J., Rountev, A.: Improving static resolution of dynamic class loading in java using dynamically gathered environment information. Autom. Softw. Eng. 16(2), 357–381 (2009)
Smith, J., Nair, R.: Virtual Machines: Versatile Platforms for Systems and Processes (The Morgan Kaufmann Series in Computer Architecture and Design). Morgan Kaufmann Publishers Inc., San Francisco (2005)
Späth, J., Lam, P.: Using Soot and TamiFlex to analyze DaCapo, August 2014. https://github.com/Sable/soot/wiki/Using-Soot-and-TamiFlex-to-analyze-DaCapo
Tikir, M., Hollingsworth, J.K.: Efficient instrumentation for code coverage testing. In: Proceedings of the 2002 ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2002, pp. 86–96, Roma, Italy (2002)
Vallée-Rai, R.: Soot: a java bytecode optimization framework. Master’s thesis, McGill University (2000)
Wu, D., Liu, X., Xu, J., Lo, D., Gao, D.: Measuring the declared SDK versions and their consistency with API calls in android apps. In: Ma, L., Khreishah, A., Zhang, Y., Yan, M. (eds.) Wireless Algorithms. Systems, and Applications, pp. 678–690. Springer, Cham (2017)
Xu, L.: Techniques and tools for analyzing and understanding android applications. PhD thesis, University of California, Davis (2013)
Zhauniarovich, Y., Ahmad, M., Gadyatskaya, O., Crispo, B., Massacci, F.: StaDynA: addressing the problem of dynamic code updates in the security analysis of android applications. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015, pp. 37–48, San Antonio, Texas, USA (2015)
Acknowledgments
We would like to thank Yury Zhauniarovich, Maqsood Ahmad, Olga Gadyatskaya, Bruno Crispo, and Fabio Massacci for sharing the source code of StaDynA and the applications used to evaluate StaDynA with us.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Bachala, S., Tsutano, Y., Srisa-an, W., Rothermel, G., Dinh, J., Hu, Y. (2022). ReHAna: An Efficient Program Analysis Framework to Uncover Reflective Code in Android. In: Hara, T., Yamaguchi, H. (eds) Mobile and Ubiquitous Systems: Computing, Networking and Services. MobiQuitous 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 419. Springer, Cham. https://doi.org/10.1007/978-3-030-94822-1_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-94822-1_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-94821-4
Online ISBN: 978-3-030-94822-1
eBook Packages: Computer ScienceComputer Science (R0)