Benchmark apps that highlights reachability analysis challenges in the native world of Android applications.
The compiled applications are stored under the apks subdirectory.
| id | name | description | ArgusSaf | Ghidra | DroidReach |
|---|---|---|---|---|---|
| 0 | StaticMapping | JNI Method bound to a Java native method through name mangling | ☒ | n/a | ☒ |
| 1 | StaticMappingOverload | JNI Method bound to a Java native method through name mangling (method overload) | ☒ | n/a | ☒ |
| 2 | DynamicMapping | JNI Method bound to a Java native method using RegisterNatives API | ☒ (1) | n/a | ☒ |
| 3 | DynamicMappingClash | JNI Method bound to a Java native method using RegisterNatives API (clash in class name) | ☒ (1) | n/a | ☒ (1) |
| 4 | DynamicMappingNonglobal | JNI Method bound to a Java native method using RegisterNatives API (non-global array) | ☒ (1) | n/a | ☒ (1) |
| 5 | DynamicMappingComplex | JNI Method bound to a Java native method using RegisterNatives API (complex code) | ☐ | n/a | ☒ |
| 6 | NestedLib | JNI Method calls another linked library | ☐ (2) | ☐ (3) | ☒ |
| 7 | HighDepth | The target function is called with a high calldepth | ☐ (4) | ☒ | ☒ |
| 8 | IndirectJmp | The target function is called after an indirect call (C++ virtual call) | ☒ | ☐ | ☒ |
| 9 | IndirectJmpVariant | The target function is called after an indirect call (C++ virtual call) | ☒ | ☐ | ☒ |
| 10 | IndirectJmpVariant2 | The target function is called after an indirect call (function pointer) | ☒ | ☐ | ☒ |
| 11 | IndirectJmpHighDepth | The target function is called at a high calldepth after an indirect call (at small depth) | ☐ (4) | ☐ | ☒ |
| 12 | IndirectJmpHighDepthVariant | The target function is called at a high calldepth after an indirect call (at high depth) | ☐ (4) | ☐ | ☐ (4) |
(1): Slow, uses symbolic execution.
(2): For the coarse-grained evaluation, we developed a variant of ArgusSaf that can reason on nested libraries
(3): For the coarse-grained evaluation, Ghidra was enhanced to deal with nested libraries
(4): It is possible to increase the calldepth, but there is a trade-off between running time/memory usage and desired calldepth.
n/a: not applicable, e.g., Ghidra is not involved in the resolution of JNI mapping.