Towards bridging the gap between Dalvik bytecode and native code during static analysis of Android applications

Abstract

We propose a method for statically analyzing components that can be part of Android applications and which have not been very well analyzed so far, namely native libraries. As of now, third-party native code can be seen as a black box that can be fed input parameters from the Dalvik bytecode context, and output parameters can be returned back to the bytecode context. However, the native code can still initialize and invoke Android API and internal Java-based application classes and methods solely within the native context using an interface towards the Dalvik Virtual Machine. This introduces a contingency during analysis and therefore, it is crucial to understand inner-workings of the native code in order to fully understand the behavior of an application. The contribution of this paper is to bridge the gap between static analysis of Dalvik bytecode and native code by attempting to reconstruct calls to Android APIs and performing data-flow analysis inside native libraries. Our results from real-world applications show that such constructions used for invoking Java code inside native code do exist to some extent and could potentially be used more widely in order to obfuscate applications.