GAPS: Guiding Dynamic Android Analysis with Static Path Synthesis

TL;DR

The paper addresses the challenge of attaining method-level reachability in Android apps during dynamic analysis, especially for code outside GUI components. It introduces GAPS, a framework that performs target-oriented static analysis to synthesize backward, context-sensitive call-paths and translate them into high-level GUI interaction plans to guide dynamic exploration. Empirical evaluation on the AndroTest benchmark shows GAPS achieves 88.24% static reachability and 57.44% dynamic reachability, outperforming state-of-the-art GUI testers and static-path tools; real-world App Store apps yield 62.03% static and 59.86% dynamic reachability, validating practicality at scale. Overall, GAPS demonstrates how targeted static guidance can substantially improve both the precision and efficiency of Android dynamic analysis, offering a practical path toward robust vulnerability validation and behavioral analysis.

Abstract

Dynamically resolving method reachability in Android applications remains a critical and largely unsolved problem. Despite notable advancements in GUI testing and static call graph construction, current tools are insufficient for reliably driving execution toward specific target methods, especially those not embedded in a graphical component (e.g., libraries' methods), a capability essential for tasks such as vulnerability validation, debugging, and behavioral analysis. We present GAPS (Graph-based Automated Path Synthesizer), the first system that integrates static, method-guided call graph analysis with dynamic, interaction-driven execution. GAPS performs a lightweight backward traversal of the call graph, guided by data-flow analysis, to reconstruct paths reaching the target methods. These paths are then translated into instructions that guide runtime app exploration. On the AndroTest benchmark, GAPS statically identifies paths to reach 88.24\% of the target methods in just 4.27 seconds per app and dynamically reaches 57.44\% of them. In contrast, state-of-the-art dynamic interaction tools show significantly lower reachability over three runs: APE, one of the best model-based GUI testers, achieves 12.82\%, while GoalExplorer, a hybrid analysis tool, reaches 9.69\%, and Guardian, an LLM-based UI automator, reaches 17.12\%. Static analysis tools also fall short: FlowDroid and DroidReach identify paths to reach 58.81\% and 9.48\% of the targets, requiring 35.06 seconds and 23.46 seconds per app, respectively. Finally, an evaluation on the 50 most downloaded real-world apps demonstrates GAPS's practical utility in analyzing security-critical code under a realistic scenario. With an average static analysis time of 278.9 seconds, GAPS statically reconstructs paths to 62.03\% of the target methods and dynamically reaches 59.86\% of them.