Reach Me if You Can: On Native Vulnerability Reachability in Android Apps

Abstract

Android applications ship with several native C/C++ libraries. Research on Android security has revealed that these libraries often come from third-party components that are not kept up to date by developers, possibly posing security concerns. To assess if known vulnerabilities in these libraries constitute an immediate security problem, we need to understand whether vulnerable functions could be reached when apps are executed (we refer to this problem as function reachability). In this paper, we propose DroidReach, a novel, static approach to assess the reachability of native function calls in Android apps. Our framework addresses the limitations of state-of-the-art approaches by employing a combination of heuristics and symbolic execution, allowing for a more accurate reconstruction of the Inter-procedural Control-Flow Graphs (ICFGs). On the top 500 applications from the Google Play Store, DroidReach can detect a significantly higher number of paths in comparison to previous works. Finally, two case studies show how DroidReach can be used as a valuable vulnerability assessment tool.