Yifei Zhang Yue Li Tian Tan Jingling Xue
Ripple is a static reflection analysis for Android apps that resolves reflective calls more soundly than string inference. This work is introduced in our paper titled "Ripple : Reflection analysis for Android apps in incomplete information environments".
Reflection poses grave problems for static security analysis, despite its widespread use in Android apps. In general, string inference has been mainly used to handle reflection, resulting in significantly missed security vulnerabilities. In Ripple, we bring forward the ubiquity of incomplete information environments (IIEs) for Android apps, where some critical dataflows are missing during static analysis and the need for resolving reflective calls under IIEs. Ripple is the first IIE-aware static reflection analysis for Android apps that resolves reflective calls more soundly than string inference. Ripple will be valuable for many security analysis clients, since more program behaviors can now be analyzed under IIEs.
The tar.gz file includes the source code of Ripple, which is a Soot project. See the Ripple_ReadMe.md for the usage of Ripple.
The authors wish to thank the Soot team for making Soot available.