Identifying unsoundness of call graphs in android static analysis tools
MetadataShow full item record
Analysis techniques are used to test mobile applications for bugs or malicious activity. Market operators such as Google and Amazon use analysis tools to scan applications before deployment. Creating a call graph is a crucial step in many of the static analysis tools for Android applications. Each edge in a call graph is a method call in the application. A sound call graph is one that contains all method calls of an application. The soundness of the call graph is critical for accurate analysis. Unsoundness in the call graph would render analysis of the application flawed. Therefore, any conclusions drawn from an unsound call graph could be invalid. In this project, we analyze the soundness of static call graphs. We propose and develop a novel approach to automatically identify unsoundness. We create a dynamic call graph to examine the soundness of the static call graph. We map the edges of the two graphs. Any edge observed dynamically but not present in the static call graph is a witness for unsoundness. We show that there are edges in the dynamic call graph that are not contained in the static call graph. We analyze 92 applications to find a total of 19,653 edges missed by a state-of-the-art static analysis tool. To further analyze these edges, our tool categorizes them into groups that can help identify the type of method call that was missed by the static analysis tool. These categories pinpoint where further research efforts are necessary to improve current state-of-the-art static analysis capabilities.