Android developers heavily use reflection in their apps for legitimate reasons. However, reflection is also significantly used for hiding malicious actions. Unfortunately, current state-of-the-art static analysis tools for Android are challenged by the presence of reflective calls, which they usually ignore. Thus, the results of their security analysis, e.g., for private data leaks, are incomplete, given the measures taken by malware writers to elude static detection. We propose a new instrumentation-based approach to address this issue in a non-invasive way. Specifically, we introduce to the community a prototype tool called DroidRA, which reduces the resolution of reflective calls to a composite constant propagation problem and then leverages the COAL solver to infer the values of reflection targets. After that, it automatically instruments the app to replace reflective calls with their corresponding Java calls in a traditional paradigm. Our approach augments an app so that it can be more effectively statically analyzable, including by such static analyzers that are not reflection-aware. We evaluate DroidRA on benchmark apps as well as on real-world apps, and we demonstrate that it can indeed infer the target values of reflective calls and subsequently allow state-of-the-art tools to provide more sound and complete analysis results.

中文翻译：

---

驯服反射

Android 开发人员出于正当理由在其应用程序中大量使用反射。然而，反射也显着用于隐藏恶意行为。不幸的是，当前最先进的 Android 静态分析工具受到反射调用的挑战，而反射调用通常会被忽略。因此，考虑到恶意软件编写者为逃避静态检测而采取的措施，他们的安全分析结果（例如私人数据泄露）是不完整的。我们提出了一种新的基于仪器的方法，以非侵入性的方式解决这个问题。具体来说，我们向社区介绍了一个名为 DroidRA 的原型工具，它降低了对复合常数传播问题的反射调用的分辨率，然后利用 COAL 求解器来推断反射目标的值。在那之后，它会自动检测应用程序以将反射调用替换为传统范例中相应的 Java 调用。我们的方法增强了应用程序，使其可以更有效地进行静态分析，包括通过不具有反射感知的静态分析器。我们在基准应用程序和实际应用程序上评估 DroidRA，我们证明它确实可以推断反射调用的目标值，并随后允许最先进的工具提供更健全和完整的分析结果。