We are seeking highly motivated Honours/Master students to work on a project to investigate the break points in call graphs when performing program analysis on Android apps. Opportunity for a further PhD study is possible depending on student’s performance in this project.
Android developers heavily use reflection calls/native code in their apps for legitimate reasons. However, the adoption of these language features is also significantly used for hiding malicious actions. Unfortunately, current state-of-the-art static analysis tools for Android are challenged by the presence of such language features which they usually ignore. Thus, the results of their security analysis, e.g., for private data leaks, are incomplete, given the measures taken by malware writers to elude static detection.
To address this research gap, we plan to propose a new instrumentation-based approach to address this issue in a non-invasive way. Firstly, efforts should be directed towards understanding the root causes that lead to “break points” during program analysis. Additionally, we intend to develop automated tools for rectifying these break points by constructing a unified call graph of all code within Android apps. Our prospective approach need to augment the original app so that it can be more effectively statically analyzable, including by such static analyzers that are not reflection-aware or native-aware. Furthermore, new benchmark apps should be designed based on the identified break point findings. Subsequently, we will evaluate our tool on these benchmark apps, as well as on real-world apps, to provide comprehensive analysis results.
The project requires a strong interest and background in software engineering and program analysis. Experience with Java programming is highly desirable.
Xiaoyu Sun, Li Li, Tegawendé F. Bissyandé, Jacques Klein, Damien Octeau, and John Grundy, Taming reflection: An essential step toward whole-program analysis of android apps, ACM Transactions on Software Engineering and Methodology (TOSEM) 2021. 2021
Jordan Samhi, Jun Gao, Nadia Daoudi, Pierre Graux, Henri Hoyez, Xiaoyu Sun, Kevin Allix, Tegawendé F. Bissyandé and Jacques Klein, JuCify: a step towards Android code unification for enhanced static analysis, Proceedings of the 44th International Conference on Software Engineering (ICSE 2022), 2022