Android developers heavily use reflection calls/native code in their apps for legitimate reasons. However, the adoption of these language features is also significantly used for hiding malicious actions. Unfortunately, current state-of-the-art static analysis tools for Android are challenged by the presence of such language features which they usually ignore. As a result, the outcomes of their security analysis, such as identifying private data leaks, are incomplete, given the measures taken by malware writers to evade static detection. In this talk, the speaker will introduce her latest work (presented at ICSE'22 and TOSEM’21) aimed at enhancing static analysis through code unification. She will begin by presenting real-world software vulnerabilities and providing background knowledge on static analysis. Subsequently, she will share the corresponding open-source tools developed over years of effort.

Xiaoyu Sun is a Lecturer of Software Engineering at Australian National University. She obtained her Phd degree from Monash University. Her research field interests mainly lie in the field of Mobile Software Engineering (i.e., Mobile Security and quality assurance) and Intelligent Software Engineering (SE4AI, AI4SE). In particular, her research focuses on applying static code analysis and dynamic program testing techniques to strengthen the security and reliability of software systems. Specifically, her current research projects include developing tools for Android defects detection, e.g., compatibility issues, and privacy leaks. Xiaoyu's research has been published in top-tier conferences and journals including ICSE, ASE, TOSEM, ISSRE, MSR, and IST. She has also established extensive collaboration with the industry, including Bytedance and Alibaba.