Internet Archive Scholar

Ripple: Reflection Analysis for Android Apps in Incomplete Information Environments [article]

Yifei Zhang, Tian Tan, Yue Li, Jingling Xue
<span title="2016-12-16">2016</span> <i > arXiv </i> &nbsp; <span class="release-stage" >pre-print</span>

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (1.2 MB)
https://web.archive.org/web/20200927090202/https://arxiv.org/pdf/1612.05343v1.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit <a rel="external noopener" href="https://arxiv.org/pdf/1612.05343v1.pdf">the original URL</a>. The file type is <code>application/pdf</code>.

Despite its widespread use in Android apps, reflection poses graving problems for static security analysis. Currently, string inference is applied to handle reflection, resulting in significantly missed security vulnerabilities. In this paper, we bring forward the ubiquity of incomplete information environments (IIEs) for Android apps, where some critical data-flows are missing during static analysis, and the need for resolving reflective calls under IIEs. We present Ripple, the first IIE-aware
more &raquo; ... static reflection analysis for Android apps that resolves reflective calls more soundly than string inference. Validation with 17 popular Android apps from Google Play demonstrates the effectiveness of Ripple in discovering reflective targets with a low false positive rate. As a result, Ripple enables FlowDroid, a taint analysis for Android apps, to find hundreds of sensitive data leakages that would otherwise be missed. As a fundamental analysis, Ripple will be valuable for many security analysis clients, since more program behaviors can now be analyzed under IIEs.
<span class="external-identifiers"> <a target="_blank" rel="external noopener" href="https://arxiv.org/abs/1612.05343v1">arXiv:1612.05343v1</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/p2o53ryzxffobgnpndzmbsryma">fatcat:p2o53ryzxffobgnpndzmbsryma</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20200927090202/https://arxiv.org/pdf/1612.05343v1.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/a0/e8/a0e85477fa1b03af43934e114db94655c0660157.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener" href="https://arxiv.org/abs/1612.05343v1" title="arxiv.org access"> <button class="ui compact blue labeled icon button serp-button"> <i class="file alternate outline icon"></i> arxiv.org </button> </a>
Citation

Yifei Zhang, Tian Tan, Yue Li, Jingling Xue. "Ripple: Reflection Analysis for Android Apps in Incomplete Information Environments." arXiv (2016)