1. On the Soundness of
Android Static Analysis
15th September
2023
Dr. Jordan Samhi
The 6th International Workshop on
Advances in Mobile App Analysis
Luxembourg
CISPA – Helmholtz Center for Information Security

2. Who Am I?
Dr. Jordan Samhi
Post-doc at CISPA – Helmholtz Center for Information
Security
Research group: Software Research
jordan.samhi@cispa.de
https://www.jordansamhi.com
15th September 2023 - Jordan Samhi
2

3. On the Soundness of Android Static Analysis
Solutions and open challenges
15th September 2023 - Jordan Samhi
3

4. “
> 6 billion people own a
smartphone
> 71% are Android-based
> Sensitive data
15th September 2023 - Jordan Samhi
4

5. High security risks
Bugs
Malicious
Code
Vulnera
bilities
15th September 2023 - Jordan Samhi
5

6. 6
15th September 2023 - Jordan Samhi

7. 7
15th September 2023 - Jordan Samhi
FlowDroid1
1Arzt, Steven, et al. - Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android
- malware detection
- features extraction
- instrumentation
- incompatibility issues
- Type-state issues
- etc.

8. 8
15th September 2023 - Jordan Samhi
Can you trust this model?
ICC
Reflection
Callbacks

9. Real Behavior
m()
n()
Soundness of Program Analysis
15th September 2023 - Jordan Samhi
9

10. Agenda
• Inter-component
communication
• Native Code
15th September 2023 - Jordan Samhi
10

11. Inter-Component
Communication
15th September 2023 - Jordan Samhi
11

12. Activity
Activity
Activity
Activity
Activity
Activity
Service
Service
Service
Activity
Broadcast
Receiver
Broadcast
Receiver
15th September 2023 - Jordan Samhi
12

13. // Main Activity
protected void onCreate(Bundle b) {
Intent i = new Intent(this,TargetActivity.class);
i.putExtra("test", "value");
startActivity(i);
}
// Target Activity
protected void onCreate(Bundle b) {
Intent i = getIntent();
String msg = i.getStringExtra("test");
Log.i(“Test”, msg);
}
● sendBroadcast
● sendBroadcastAsUser
● sendOrderedBroadcast
● sendOrderedBroadcastAsUser
● sendStickyBroadcast
● sendStickyBroadcastAsUser
● sendStickyOrderedBroadcast
● sendStickyOrderedBroadcastAsUser
● startActivities
● startActivity
● startActivityForResult
● startActivityFromChild
● startActivityFromFragment
● startActivityIfNeeded
● startService
● bindService
15th September 2023 - Jordan Samhi
13

14. // Main Activity
protected void onCreate(Bundle b) {
Intent i = new Intent(this,TargetActivity.class);
i.putExtra("test", "value");
PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0);
SmsManager sm = SmsManager.getDefault();
sm.sendTextMessage(“0”, null, “0”, pi, null);
} // Target Activity
protected void onCreate(Bundle b) {
Intent i = getIntent();
String msg = i.getStringExtra("test");
Log.i(“Test”, msg);
}
Atypical Inter-Component Communication (AICC)
15th September 2023 - Jordan Samhi
14

15. What are the
problems?
• What are AICC methods?
• How to reveal AICC
methods to existing
analyzers?
15th September 2023 - Jordan Samhi
15

16. ● setRepeating
● requestLocationUpdates
● registerNetworkCallback
● setCancelButtonIntent
● sendMultimediaMessage
● setOnClickPendingIntent
● onSuccess
● installExistingPackage
● startDownloadServiceIfRequired
● sendTextMessage
● addAction
● setExact
● setFullScreenIntent
● setDeleteIntent
● setPendingIntentTemplate
● setLatestEventInfo
● setInexactRepeating
● etc.
Systematic study of the Android
Framework
15th September 2023 - Jordan Samhi
16

17. Revealing Atypical Inter-Component Communication
STEP 1
STEP 2
STEP 3
STEP 4
RAICC leverages the IFDS framework to propagate Intents to
PendingIntent objects
RAICC leverages the IFDS framework to propagate target
component type to PendingIntent objects
App instrumentation to add typical ICC method depending on
Intent targets
App is repackaged
Main idea: add typical ICC calls for existing analyzers
15th September 2023 - Jordan Samhi
17

18. Revealing Atypical Inter-Component Communication
STEP 1
What Intents are “linked” to this PendingIntent?
PendingIntentx {Intenta, …, Intentn}
↦
15th September 2023 - Jordan Samhi
18

19. Revealing Atypical Inter-Component Communication
STEP 2
What is the type of the target component that the
PendingIntent refers to?
PendingIntentx {“activity”, “service”}
↦
15th September 2023 - Jordan Samhi
19

20. Revealing Atypical Inter-Component Communication
STEP 3
// Main Activity
protected void onCreate(Bundle b) {
Intent i = new Intent(this,TargetActivity.class);
i.putExtra("test", "value");
PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0);
SmsManager sm = SmsManager.getDefault();
sm.sendTextMessage(“0”, null, “0”, pi, null);
pi
i
↦ { }
pi
↦ { }
Activity
} startActivity(i);
15th September 2023 - Jordan Samhi
20

21. Revealing Atypical Inter-Component Communication
STEP 4
15th September 2023 - Jordan Samhi
21
// Main Activity
protected void onCreate(Bundle b) {
Intent i = new Intent(this,TargetActivity.class);
i.putExtra("test", "value");
PendingIntent pi = PendingIntent.getActivity(this, 0, i, 0);
SmsManager sm = SmsManager.getDefault();
sm.sendTextMessage(“0”, null, “0”, pi, null);
startActivity(i);
}

22. Evaluation
Real-world apps
Benchmark
20 hand-crafted apps
5 000 goodware / 5 000 malware
15th September 2023 - Jordan Samhi
22

23. Main Results
Number of ICC links found by IC3
5 000 goodware 5 000 malware
Before RAICC 20 300 16 222
After RAICC 25 708 26 223
Improvement
+ 5408
(+26.2%)
+10 001
(+61.6%)
15th September 2023 - Jordan Samhi
23

24. Reflection
Callback
ICC
?
?
?
15th September 2023 - Jordan Samhi
24

25. Reflection
Callback
ICC
?
?
J. Samhi et al., “RAICC: Revealing
Atypical Inter-Component Communication
in Android apps”, ICSE 2021.
● RAICC improves ICC modeling
● It is is already used by
collaborators
● It is maintained
● Improvable on-demand
● RAICC and artifacts are available
at:
https://github.com/JordanSamhi/RAICC
15th September 2023 - Jordan Samhi
25

26. 26
Native Code

27. 27
27
15th September 2023 - Jordan Samhi

28. What are the
problems?
• How to account for
native code?
• How to model native
code?
28
15th September 2023 - Jordan Samhi

29. Native code
29
Results are bridged
15th September 2023 - Jordan Samhi

30. A unified model
30
15th September 2023 - Jordan Samhi

31. 31
JuCify Overview
15th September 2023 - Jordan Samhi

32. 32
First part: NativeDiscloser
Extracting native methods information
15th September 2023 - Jordan Samhi

33. First part: NativeDiscloser
Extracting native methods information
Method call in the bytecode – native function
Static registration:
nativeGetImei – Java_com_example_app_MainActivity_nativeGetImei
Dynamic registration:
nativeGetImei – some_native_function
15th September 2023 - Jordan Samhi
33

34. 34
First part: NativeDiscloser
Extracting native methods information
15th September 2023 - Jordan Samhi

35. Second part: Call Graph Generation
Native CG Bytecode CG
15th September 2023 - Jordan Samhi
35

36. Second part: Call Graph Generation
Native CG Bytecode CG
15th September 2023 - Jordan Samhi
36

37. Third part: Call Graph Unification
Unified
Call Graph
Representatio
n
15th September 2023 - Jordan Samhi
37

38. 38
Let’s see an example
15th September 2023 - Jordan Samhi

39. Without JuCify
39
15th September 2023 - Jordan Samhi

40. 40
With JuCify
15th September 2023 - Jordan Samhi

41.  Call-Graph is not enough
 Our ambition is to unify both representations
41
15th September 2023 - Jordan Samhi

42. Main results
42
15th September 2023 - Jordan Samhi

43. Main results
Number of nodes and edges computed by Soot with
and without JuCify
43
15th September 2023 - Jordan Samhi

44. Reflection
Callback
ICC
?
?
J. Samhi et al., “RAICC: Revealing
Atypical Inter-Component Communication
in Android apps”, ICSE 2021.
15th September 2023 - Jordan Samhi
44

45. Reflection
Callback
ICC
?
J. Samhi et al., “RAICC: Revealing
Atypical Inter-Component Communication
in Android apps”, ICSE 2021.
J. Samhi et al., “JuCify: A Step Towards
Android Code Unification for Enhanced
Static Analysis”, ICSE 2022.
https://github.com/JordanSamhi/JuCify
● We proposed a new approach to
unify the bytecode and native code
representations
● We demonstrated how JuCify is a
step toward code unification
● JuCify and artifacts are available at:
15th September 2023 - Jordan Samhi
45

46. Logic Bomb detection
If (…)
[ ]
[ ]
Normal
Abnormal
Check out: J. Samhi, et al. "Difuzer: Uncovering suspicious hidden
sensitive operations in android apps." ICSE 2022.
15th September 2023 - Jordan Samhi
46

47. Reflection
Callback
ICC
J. Samhi et al., “RAICC: Revealing
Atypical Inter-Component Communication
in Android apps”, ICSE 2021.
J. Samhi et al., ”Implicit calls triggered
under certain circumstances”
15th September 2023 - Jordan Samhi
47
J. Samhi et al., “JuCify: A Step Towards
Android Code Unification for Enhanced
Static Analysis”, ICSE 2022.

48. OK!
Enough of the
past!
What are next
challenges?
15th September 2023 - Jordan Samhi
48

49. The static analysis paradox
Promise
Sound Analysis
15th September 2023 - Jordan Samhi
49

50. Reflection
Callback
ICC
Native Code
Conditional implicit calls
AICC
?
?
?
?
?
?
?
?
Analyzing the
Unanalyzable
15th September 2023 - Jordan Samhi
50

51. Security is Adversarial
Attackers will try to find
ways to bypass static
analysis
Libraries
15th September 2023 - Jordan Samhi
51

52. The Dream in Program Analysis
Find the Ultimate
Abstractions
15th September 2023 - Jordan Samhi
52

53. COBOL
ABAP
53
15th September 2023 - Jordan Samhi

54. Some Ideas for
Open Challenges
15th September 2023 - Jordan Samhi
54

55. What is currently covered by static
analyzers?
How can frameworks be effectively
represented through static modeling?
How can multi-language software be
effectively represented through static
modeling?
15th September 2023 - Jordan Samhi
55

56. Control Flow
Graph
Call
Graph
Static
Analysis
Dynamic
Analysis
What is currently covered
by static analyzers?
15th September 2023 - Jordan Samhi
56

57. Methods statically
reachable
Methods dynamically
called
?
?
?
What is currently covered
by static analyzers?
15th September 2023 - Jordan Samhi
57

58. 58
15th September 2023 - Jordan Samhi
IMPLICIT CALLS

59. How can frameworks be effectively
represented through static
modeling?
Software are systems, they interact with
components
15th September 2023 - Jordan Samhi
59

60. How can frameworks be effectively
represented through static
modeling?
15th September 2023 - Jordan Samhi
60

61. 1 – Identify development frameworks
How can frameworks be effectively
represented through static
modeling?
15th September 2023 - Jordan Samhi
61
2 – Statically find entry and exit points to and from
frameworks
3 – Propose a static model that connects the dots

62. How can multi-language software be
effectively represented through static
modeling?
15th September 2023 - Jordan Samhi
62

63. WebView wv = new WebView(context);
setContentView(wv);
webView.loadUrl("www.example.com");
WebSettings settings = wv.getSettings();
settings.setJavaScriptEnabled(true);
How can multi-language software be
effectively represented through static
modeling?
15th September 2023 - Jordan Samhi
63

64. 1 – Study the static analysis ecosystem of different languages
2 –To what extent existing tools can be bridged with existing
frameworks
3 – Investigate how to provide unified static model
How can multi-language software be
effectively represented through static
modeling?
15th September 2023 - Jordan Samhi
64

65. Implications for Security
Better Static Code Modeling
=
Better Code Coverage
15th September 2023 - Jordan Samhi
65
Data leak detection
Aggressive Ads
Trojan horses
Logic vulnerabilities
SQL injection detection
Sensitive operations
detection
Bug detection
Type state misuse detection
Crypto API misuse
Type confusion detection
Hijacking
Spyware
Vulnerability detection
Privacy policy compliance
Logic bombs
GDPR compliance

66. 15th September 2023 - Jordan Samhi
66
Real Behavior
m()
n()
Soundness of Program Analysis
15th September 2023 - Jordan Samhi
9
Reflection
Callback
ICC
Native Code
Conditional implicit calls
AICC
?
?
?
?
?
?
?
?
Analyzing the Unanalyzable
My Dream in Program Analysis
Find the Ultimate
Abstractions
What is currently covered by static analyzers?
How can frameworks be effectively represented
through static modeling?
How can multi-language software be effectively
represented through static modeling?
7th February 2023 - Jordan Samhi