Advanced

Towards Bridging the Gap Between Dalvik Bytecode and Native Code During Static Analysis of Android Applications

Lantz, Patrik LU and Johansson, Björn (2015) International Wireless Communications and Mobile Computing Conference 2015 In [Host publication title missing]
Abstract
We propose a method for statically analyzing components that can be part of Android applications and which have not been very well analyzed so far, namely native libraries. As of now, third-party native code can be seen as a black box that can be fed input parameters from the Dalvik bytecode context, and output parameters can be returned back to the bytecode context. However, the native code can still initialize and invoke Android API and internal Java-based application classes and methods solely within the native context using an interface towards the Dalvik Virtual Machine. This introduces a contingency during analysis and therefore, it is crucial to understand inner-workings of the native code in order to fully understand the behavior... (More)
We propose a method for statically analyzing components that can be part of Android applications and which have not been very well analyzed so far, namely native libraries. As of now, third-party native code can be seen as a black box that can be fed input parameters from the Dalvik bytecode context, and output parameters can be returned back to the bytecode context. However, the native code can still initialize and invoke Android API and internal Java-based application classes and methods solely within the native context using an interface towards the Dalvik Virtual Machine. This introduces a contingency during analysis and therefore, it is crucial to understand inner-workings of the native code in order to fully understand the behavior of an application. The contribution of this paper is to bridge the gap between static analysis of Dalvik bytecode and native code by attempting to reconstruct calls to Android APIs and performing data-flow analysis inside native libraries. Our results from real-world applications show that such constructions used for invoking Java code inside native code do exist to some extent and could potentially be used more widely in order to obfuscate applications. (Less)
Please use this url to cite or link to this publication:
author
organization
publishing date
type
Chapter in Book/Report/Conference proceeding
publication status
published
subject
keywords
Android Applications, Native Libraries, Java Native Interface, Static Analysis, Binary Slicing, Data-Flow Analysis
in
[Host publication title missing]
publisher
IEEE--Institute of Electrical and Electronics Engineers Inc.
conference name
International Wireless Communications and Mobile Computing Conference 2015
external identifiers
  • scopus:84949483975
ISBN
978-1-4799-5343-1
DOI
10.1109/IWCMC.2015.7289149
language
English
LU publication?
yes
id
c4827b12-23c8-4807-86f4-3b5820d4949b (old id 5337350)
date added to LUP
2015-09-29 09:18:49
date last changed
2017-01-01 08:01:02
@inproceedings{c4827b12-23c8-4807-86f4-3b5820d4949b,
  abstract     = {We propose a method for statically analyzing components that can be part of Android applications and which have not been very well analyzed so far, namely native libraries. As of now, third-party native code can be seen as a black box that can be fed input parameters from the Dalvik bytecode context, and output parameters can be returned back to the bytecode context. However, the native code can still initialize and invoke Android API and internal Java-based application classes and methods solely within the native context using an interface towards the Dalvik Virtual Machine. This introduces a contingency during analysis and therefore, it is crucial to understand inner-workings of the native code in order to fully understand the behavior of an application. The contribution of this paper is to bridge the gap between static analysis of Dalvik bytecode and native code by attempting to reconstruct calls to Android APIs and performing data-flow analysis inside native libraries. Our results from real-world applications show that such constructions used for invoking Java code inside native code do exist to some extent and could potentially be used more widely in order to obfuscate applications.},
  author       = {Lantz, Patrik and Johansson, Björn},
  booktitle    = {[Host publication title missing]},
  isbn         = {978-1-4799-5343-1},
  keyword      = {Android Applications,Native Libraries,Java Native Interface,Static Analysis,Binary Slicing,Data-Flow Analysis},
  language     = {eng},
  publisher    = {IEEE--Institute of Electrical and Electronics Engineers Inc.},
  title        = {Towards Bridging the Gap Between Dalvik Bytecode and Native Code During Static Analysis of Android Applications},
  url          = {http://dx.doi.org/10.1109/IWCMC.2015.7289149},
  year         = {2015},
}