Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs,...
-
Upload
truongduong -
Category
Documents
-
view
254 -
download
4
Transcript of Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs,...
![Page 1: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/1.jpg)
Static Analysis for Android: GUIs, Callbacks, and Beyond
Atanas (Nasko) RountevJoint work with
Dacong YanShengqian Yang
Haowei WuYan Wang
Hailong ZhangOhio State University
PRESTO: Program Analyses and Software Tools Research GroupSupport by NSF CCF-1319695 and Google Faculty Research Award
![Page 2: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/2.jpg)
Take-Home Messages Android software is important Foundations for control-flow and data-flow static
analysis for Android are weak Need to use Android-specific semantics in static
analysis algorithms: challenges and opportunities Many open problems
− Foundational: static modeling of control/data flow − Analysis uses: beyond security
![Page 3: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/3.jpg)
Take-Home Messages Android software is important Foundations for control-flow and data-flow static
analysis for Android are weak Need to use Android-specific semantics in static
analysis algorithms: challenges and opportunities Many open problems
− Foundational: static modeling of control/data flow − Analysis uses: beyond security
Exciting area for program analysis research
![Page 4: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/4.jpg)
Importance of Android Very large number of devices and apps
− Estimate: 1.3 billion devices will be shipped in 2015− 1.5 million apps in Google Play, many thousands in other
app stores (e.g., Amazon Appstore) Rapid growth and widespread use in daily life
− Beyond phones and tablets: wearables, appliances, … For PL and SE researchers: improved software
quality and developer productivity through better program understanding, checking, transformation, optimization, testing, debugging, …
![Page 5: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/5.jpg)
Foundations for Static Analysis Control-flow analysis
− Traditional: intra- and inter-procedural CFGs− Android: event-driven control flow; managed by the
framework; often uses concurrency Data-flow analysis
− Traditional: associate a lattice element with each CFG node; propagate using node transfer functions
− Android: silently propagates data through the framework code; special values (e.g., integers used as ids); complex Android-specific semantics for some CFG nodes
![Page 6: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/6.jpg)
Foundations for Static Analysis Control-flow analysis
− Traditional: intra- and inter-procedural CFGs− Android: event-driven control flow; managed by the
framework; often uses concurrency Data-flow analysis
− Traditional: associate a lattice element with each CFG node; propagate using node transfer functions
− Android: silently propagates data through the framework code; special values (e.g., integers used as ids); complex Android-specific semantics for some CFG nodes
We do not know how to perform general control/data-flow analysis for Android
![Page 7: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/7.jpg)
Two Building Blocks of Control-Flow Analysis GUI events and their handlers [CGO’14]
− More generally, what is the structure of the GUI?− Challenges: modeling of high-level semantics for Android
constructs; many features and variations GUI changes triggered by event handlers [ICSE’15]
− More generally, what is the behavior of the GUI?− Limited focus: GUI-event control flow in the main thread
![Page 8: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/8.jpg)
Two Building Blocks of Control-Flow Analysis GUI events and their handlers [CGO’14]
− More generally, what is the structure of the GUI?− Challenges: modeling of high-level semantics for Android
constructs; many features and variations GUI changes triggered by event handlers [ICSE’15]
− More generally, what is the behavior of the GUI?− Limited focus: GUI-event control flow in the main thread
Should we include the framework code? No− Unlike whole-program analysis for Java, we “embed” the
high-level semantics of android.* classes in the analysis− Benefits and disadvantages
![Page 9: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/9.jpg)
Two Building Blocks of Control-Flow Analysis GUI events and their handlers [CGO’14]
− More generally, what is the structure of the GUI?− Challenges: modeling of high-level semantics for Android
constructs; many features and variations GUI changes triggered by event handlers [ICSE’15]
− More generally, what is the behavior of the GUI?− Limited focus: GUI-event control flow in the main thread
![Page 10: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/10.jpg)
Windows, Widgets, and Handlers GUI elements
− Activity: on-screen window with GUI widgets (views)Other windows as well: menus and dialogs
− Event handlers: defined in listener objects and associated with views to respond to user actions
Need to model statically:− Views and their hierarchical structure− Association of views with activities− Association of views with listeners− Variables that refer to views, activities, and listeners
Underneath, this is a form of points-to analysis
![Page 11: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/11.jpg)
MyActivity.java:class MyActivity extends Activity {
void onCreate() {this.setContentView(R.layout.main); // InflateView a = this.findViewById(R.id.my_btn); // FindViewButton b = (Button) a;ButtonListener c = new ButtonListener();b.setOnClickListener(c); // SetListener } }
ButtonListener.java:class ButtonListener implements OnClickListener {
void onClick(View d) { ... } }
main.xml:<RelativeLayout ...>
<Button android:id=“@+id/my_btn” ... /></RelativeLayout>
![Page 12: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/12.jpg)
MyActivity.java:class MyActivity extends Activity {
void onCreate() {this.setContentView(R.layout.main); // InflateView a = this.findViewById(R.id.my_btn); // FindViewButton b = (Button) a;ButtonListener c = new ButtonListener();b.setOnClickListener(c); // SetListener } }
ButtonListener.java:class ButtonListener implements OnClickListener {
void onClick(View d) { ... } }
main.xml:<RelativeLayout ...>
<Button android:id=“@+id/my_btn” ... /></RelativeLayout>
RelativeLayout
Button: my_btn
child
![Page 13: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/13.jpg)
MyActivity.java:class MyActivity extends Activity {
void onCreate() {this.setContentView(R.layout.main); // InflateView a = this.findViewById(R.id.my_btn); // FindViewButton b = (Button) a;ButtonListener c = new ButtonListener();b.setOnClickListener(c); // SetListener } }
ButtonListener.java:class ButtonListener implements OnClickListener {
void onClick(View d) { ... } }
main.xml:<RelativeLayout ...>
<Button android:id=“@+id/my_btn” ... /></RelativeLayout>
RelativeLayout
Button: my_btn
child
![Page 14: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/14.jpg)
MyActivity.java:class MyActivity extends Activity {
void onCreate() {this.setContentView(R.layout.main); // InflateView a = this.findViewById(R.id.my_btn); // FindViewButton b = (Button) a;ButtonListener c = new ButtonListener();b.setOnClickListener(c); // SetListener } }
ButtonListener.java:class ButtonListener implements OnClickListener {
void onClick(View d) { ... } }
main.xml:<RelativeLayout ...>
<Button android:id=“@+id/my_btn” ... /></RelativeLayout>
RelativeLayout
Button: my_btn
child
![Page 15: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/15.jpg)
MyActivity.java:class MyActivity extends Activity {
void onCreate() {this.setContentView(R.layout.main); // InflateView a = this.findViewById(R.id.my_btn); // FindViewButton b = (Button) a;ButtonListener c = new ButtonListener();b.setOnClickListener(c); // SetListener } }
ButtonListener.java:class ButtonListener implements OnClickListener {
void onClick(View d) { ... } }
main.xml:<RelativeLayout ...>
<Button android:id=“@+id/my_btn” ... /></RelativeLayout>
RelativeLayout
Button: my_btn
child
![Page 16: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/16.jpg)
Android-Specific Semantics Inflate: create a hierarchy of views from XML specs
and attach to an activity or to a view CreateView: programmatically create with new V FindView: look up a view from activity or from
ancestor view (e.g., using integer id) SetListener: associate view and listener AddView: parent-child relationship for two views SetId: programmatically set the id of a view This high-level semantics is integrated with a standard
constraint-based points-to-like analysis for Java
![Page 17: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/17.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
... ... ...9 void onClick(View d) { ... } }
Propagation edges and relevant nodes
MyActivity this3
a
b
c this9
d
![Page 18: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/18.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
... ... ...9 void onClick(View d) { ... } }
Propagation edges and relevant nodes
MyActivity this3
a
b
c
Inflateid:main
this9
d
![Page 19: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/19.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
... ... ...9 void onClick(View d) { ... } }
Propagation edges and relevant nodes
MyActivity this3
a
b
c
Inflateid:main
FindViewid:my_btn
this9
d
![Page 20: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/20.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
... ... ...9 void onClick(View d) { ... } }
Propagation edges and relevant nodes
MyActivity this3
a
b
c
Inflateid:main
FindViewid:my_btn
this9
d
![Page 21: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/21.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
... ... ...9 void onClick(View d) { ... } }
Propagation edges and relevant nodes
MyActivity this3
a
b
c
Inflateid:main
FindViewid:my_btn
this9
d
![Page 22: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/22.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
... ... ...9 void onClick(View d) { ... } }
Propagation edges and relevant nodes
MyActivity this3
a
b
c
Inflateid:main
FindViewid:my_btn
ButtonListener this9
d
![Page 23: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/23.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
... ... ...9 void onClick(View d) { ... } }
Propagation edges and relevant nodes
MyActivity this3
Inflateid:main
FindViewid:my_btn a
b SetListener
ButtonListener c this9
d
![Page 24: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/24.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
... ... ...9 void onClick(View d) { ... } }
Propagation edges and relevant nodes
MyActivity this3
Inflateid:main
FindViewid:my_btn a
b SetListener
ButtonListener c this9
d
![Page 25: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/25.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
... ... ...10 <RelativeLayout ...>11 <Button android:id=“@+id/my_btn” ... />12 </RelativeLayout>
Property edges and relevant nodes
![Page 26: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/26.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
... ... ...10 <RelativeLayout ...>11 <Button android:id=“@+id/my_btn” ... />12 </RelativeLayout>
Property edges and relevant nodes
RelativeLayout
Button
child
view idid:my_btn
![Page 27: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/27.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
... ... ...10 <RelativeLayout ...>11 <Button android:id=“@+id/my_btn” ... />12 </RelativeLayout>
Property edges and relevant nodes
RelativeLayout
Button
child
view idid:my_btn
Inflateinflater
![Page 28: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/28.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView
10 <RelativeLayout ...>11 <Button android:id=“@+id/my_btn” ... />12 </RelativeLayout>
Property edges and relevant nodes
RelativeLayout
Button
child
view idid:my_btn
this3
Inflateinflater
MyActivity
![Page 29: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/29.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView
10 <RelativeLayout ...>11 <Button android:id=“@+id/my_btn” ... />12 </RelativeLayout>
Property edges and relevant nodes
RelativeLayout
Button
child
view idid:my_btn
this3
Inflateinflater
MyActivityroot
![Page 30: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/30.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
Property edges and relevant nodes
RelativeLayout
Button
child
view idid:my_btn
MyActivityroot
Inflateinflater
![Page 31: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/31.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
MyActivity RelativeLayout
Button
root
child
view idid:my_btn
Property edges and relevant nodes
Inflateinflater
![Page 32: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/32.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
Property edges and relevant nodes
MyActivity RelativeLayout
Button
root
child
view idid:my_btn
Inflateinflater
![Page 33: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/33.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
Property edges and relevant nodes
MyActivity RelativeLayout
Button
root
child
view idid:my_btn
Inflateinflater
![Page 34: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/34.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c =7 b.setOnClickListener(c); // SetListener } }
Property edges and relevant nodes
ButtonListener
MyActivity RelativeLayout
Button
root
child
view idid:my_btn
Inflateinflater
![Page 35: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/35.jpg)
1 class MyActivity extends Activity {2 void onCreate() {3 this.setContentView(R.layout.main); // Inflate4 View a = this.findViewById(R.id.my_btn); // FindView5 Button b = (Button) a;6 ButtonListener c = new ButtonListener();7 b.setOnClickListener(c); // SetListener } }
Property edges and relevant nodes
ButtonListenerlistener
MyActivity RelativeLayout
Button
root
child
view idid:my_btn
Inflateinflater
![Page 36: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/36.jpg)
Implementation Input: Java bytecode and relevant XML files Output
− Parent-child hierarchy for views− Association of windows with root views− Association of views with listeners− Variables/fields pointing to views, activities, listeners
Algorithm (in Soot)− Initial constraint graph from app code− Solve propagation constraints for ids, windows, listeners− Fixed-point computation for the flow of views
Fast running time; reasonable precision; room for improvement (precision & Android GUI features)
![Page 37: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/37.jpg)
Two Building Blocks of Control-Flow Analysis GUI events and their handlers [CGO’14]
− More generally, what is the structure of the GUI?− Challenges: modeling of high-level semantics for Android
constructs; many features and variations GUI changes triggered by event handlers [ICSE’15]
− More generally, what is the behavior of the GUI?− Limited focus: GUI-event control flow in the main thread
![Page 38: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/38.jpg)
Control Flow in the UI Thread Given the windows, views, and handlers, what is
the possible control flow due to GUI events? A GUI event triggers callbacks for
− Event handling: e.g., onClick− Window lifetime management: e.g., if onClick starts a
new activity, onCreate will be called on this activity by the framework code
What are all possible sequences of such callbacks?
![Page 39: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/39.jpg)
Control Flow in the UI Thread Given the windows, views, and handlers, what is
the possible control flow due to GUI events? A GUI event triggers callbacks for
− Event handling: e.g., onClick− Window lifetime management: e.g., if onClick starts a
new activity, onCreate will be called on this activity by the framework code
More generally: What are all possible sequences of callbacks? What are the values for their framework-provided parameters? Key question for control/data-flow analysis, but no good answer yet
![Page 40: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/40.jpg)
class Main extends Activity { void onCreate() {
… // Add four ImageButton widgets with ids R.id.infoBtn, … // R.id.helpBtn, R.id.manageBtn, and R.id.multiBtnEventHandler handler = new EventHandler();… // Associate handler with each of the four buttons } }
class EventHandler implements OnClickListener {void onClick(View v) {
switch (v.getId()) {case R.id.infoBtn:
Intent info = new Intent(DirectoryInfo.class); startActivity(info); break;case R.id.helpBtn:
Intent help = new Intent(HelpManager.class); startActivity(help); break;case R.id.manageBtn:
AlertDialog dialog = …; dialog.show(); break; default: …; break; } }
![Page 41: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/41.jpg)
class Main extends Activity { void onCreate() {
… // Add four ImageButton widgets with ids R.id.infoBtn, … // R.id.helpBtn, R.id.manageBtn, and R.id.multiBtnEventHandler handler = new EventHandler();… // Associate handler with each of the four buttons } }
class EventHandler implements OnClickListener {void onClick(View v) {
switch (v.getId()) {case R.id.infoBtn:
Intent info = new Intent(DirectoryInfo.class); startActivity(info); break;case R.id.helpBtn:
Intent help = new Intent(HelpManager.class); startActivity(help); break;case R.id.manageBtn:
AlertDialog dialog = …; dialog.show(); break; default: …; break; } }
EventHandler.onClick
Main.onCreate
DirectoryInfo.onCreate
HelpManager.onCreate
AlertDialog.onCreate
A few ordering constraints
![Page 42: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/42.jpg)
Our Goals Representation of callback ordering constraints
− Within a window and across windows− Consider the invocation context of a callback: the
framework-provided parameter representing the view(for event handlers) or the window (for lifecycle callbacks)
Context-sensitive interprocedural analysis of callbacks to find ordering constraints Client analysis: GUI model construction for program
understanding and testing
![Page 43: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/43.jpg)
Callback Control-Flow GraphonCreate
[Main]
onCreate[DirectoryInfo] onCreate
[HelpManager]onCreate
[AlertDialog]
onClick[info-btn]
onClick[help-btn]
onClick[manage-btn]
onClick[multi-btn]
onDestroy[DirectoryInfo]
onDestroy[Main]
![Page 44: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/44.jpg)
Given [handler, widget], what could be the next callback executed after handler completes?
void onClick(View v) { switch (v.getId()) {
case R.id.infoBtn: Intent info = new Intent(DirectoryInfo.class); startActivity(info); break;
case R.id.helpBtn:Intent help = new Intent(HelpManager.class); startActivity(help); break;
case R.id.manageBtn: AlertDialog dialog = …; dialog.show(); break;
default: …; break; }
Trigger: API call to open a new window, or to close the current one
no trigger
trigger statements
![Page 45: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/45.jpg)
Analysis Algorithm Given [handler, widget], which trigger statements
are reached? Can we avoid all triggers? Interprocedural reachability on the control-flow
graphs of handler and its transitive callees− Matching of calls and returns during traversal− Finds reachable triggers− Determines if the exit of handler is reached without
going through triggers But: we also need to take into account widget
![Page 46: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/46.jpg)
void onClick(View v) { switch (v.getId()) {
case R.id.infoBtn: Intent info = new Intent(DirectoryInfo.class); startActivity(info); break;
case R.id.helpBtn:Intent help = new Intent(HelpManager.class); startActivity(help); break;
case R.id.manageBtn: AlertDialog dialog = …; dialog.show(); break;
default: …; break; }
Context-insensitive analysis of [onClick, info-btn]triggers = { startActivity(info), startActivity(help), dialog.show() } can avoid triggers = true
Context-sensitive analysis of [onClick, info-btn]triggers = { startActivity(info) } can avoid triggers = false
calling context of event handler
![Page 47: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/47.jpg)
Adding Context Sensitivity Given [handler, widget], which control-flow graph
edges are feasible under context widget?switch(v.getId()) for info-btn: which branch is feasible?
Interprocedural constant propagation of− references: v at v.getId() can only be the static widget
info-btn− integers for widget ids: v.getId() can only be the integer
constant R.id.infoBtn− booleans: (x == y) and (x!=y) for widget ids
![Page 48: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/48.jpg)
Evaluation Implementation in our GATOR analysis toolkit
− web.cse.ohio-state.edu/presto/software− Based on the Soot framework− Latest version released in April; planning a new version
in the summer Evaluated on 20 open-source applications
− Cost: less than 1 min for most of the analyzed applications
− Precision: context sensitivity significantly improves CCFGs and GUI models derived from them
![Page 49: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/49.jpg)
Average Out-degree of Event Handler Nodes
0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0Context-insensitive Context-sensitive
![Page 50: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/50.jpg)
Example of a Client: GUI Model Nodes are windows, edges are transitions triggered
by event handlers− Not complete: does not consider default events and
general window-close effects − For program understanding and test generation
Comparison of − Context-insensitive and context-sensitive analysis− Precise static solution (constructed manually)− GUI ripping tool: which edges from the precise static
solution are discovered during ripping
![Page 51: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/51.jpg)
Number of GUI Model Edges
0
20
40
60
80
100
120
140
160
APV Barcode Manager SuperGen Tipper VuDroid
Context-insensitive Context-sensitive Precise Ripper
![Page 52: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/52.jpg)
Open Questions Foundations for control-flow and data-flow analysis
for Android are weak Proper abstractions for GUI-driven control flow:
more complex than the CCFG; we have some new results (similar to “ICFG valid path traversal”)
Other callbacks: e.g., battery changes; GPS reads; … Concurrency: e.g., AsyncTask Implicit data flow through the framework code Dependences between analyses: e.g., GUI analysis
and intent analysis depend on each other
![Page 53: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/53.jpg)
Open Questions Need to use Android-specific semantics in static
analysis algorithms Semantics is unspecified, complex, and evolving How do we capture the relevant aspects of the
high-level semantics? How do we verify that our understanding is correct? How do we evolve these specifications with new Android releases? How do we evaluate the “coverage” of this semantics by different static analyses? Will probably have to employ run-time analysis
![Page 54: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/54.jpg)
Open Questions Diversify the uses of static analysis for Android A lot of work related to security, but what else? Evolution due to API/device changes Automated test generation (we have some initial work)
Performance optimizations: responsiveness, energy Static checking: leaks, concurrency, etc. Detection of app cloning More …
![Page 55: Static Analysis for Android: GUIs, Callbacks, and Beyond · Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas ... framework; often uses ... GUI events and their handlers](https://reader033.fdocuments.in/reader033/viewer/2022051406/5ac488907f8b9a2b5c8d126b/html5/thumbnails/55.jpg)
Thank you
Questions?