Static Flow Analysis for Hybrid and Native Android Applications

Claudio Rizzo

Research output: ThesisDoctoral Thesis

597 Downloads (Pure)


Android applications consist of different components, interacting with each other, developed in different programming languages. While Java is at the core of an Android app, it may require to interact with the web or perform low-level Operating System (OS) operations. For example, Android Webviews are in-app browsers that expose interfaces to the JavaScript in the web page loaded to communicate with Java. Similarly, Android supports native code components that Java invokes via the Java Native Interface (JNI) framework. The ways of interaction of these components may introduce new security concerns the analyses need to address. Unfortunately, work so far has not addressed these mechanisms, compromising on precision and leaving potential security-critical bugs undiscovered.
In this thesis, we propose new techniques to enable existing analyses to consider the multi-language nature of an Android application. First, we focus on Android Webviews. To this end, we developed BabelView, a tool that uses information flow analysis to assess the security of Web- views. Our idea is that we can make reasoning about JavaScript semantics unnecessary by instrumenting the application with a model of possible attacker behavior – the BabelView. We evaluated our approach on a sample of 25,000 apps from the Google Play Store, finding 10,808 potential vulnerabilities in 4,997 apps, having over 3 billion installations worldwide. We manually validated BabelView on a sample of 50 apps and estimated our fully automated analysis achieves a precision of 81% at a recall of 89%.

Second, we focus on enabling analyses for Android native code. We created a new framework, JniFuzzer, which enables fuzzing for Android JNIs. We used JniFuzzer on real-world Android apps, finding potential vulnerabilities that we report as case studies. We then developed TaintSaviour, a Proof of Concept (PoC) tool which uses a black-box approach to generate summaries for JNIs. We implemented TaintSaviour as a plug-in of JniFuzzer, and we present a preliminary evaluation showing that our approach is viable and practical.
Original languageEnglish
Awarding Institution
  • Royal Holloway, University of London
  • Kinder, Johannes, Supervisor
  • Cavallaro, Lorenzo, Supervisor
Award date1 Dec 2020
Publication statusUnpublished - 2020


  • Android
  • Static Analysis
  • Information Security
  • Computer Security
  • Computer Science
  • WebView
  • JNI

Cite this