The popularity of Android software has grown dramatically in the last
few years. It is essential for researchers in programming languages
and compilers to contribute new techniques in this increasingly
important area. Such techniques require a foundation of program
analyses for Android. The target of our work is static object
reference analysis, which models the flow of object references.
Existing reference analyses cannot be applied directly to Android
because the software is component-based and event-driven.
An Android application is driven by a graphical user interface (GUI),
with GUI objects responding to user actions. These objects and the
event handlers associated with them ultimately determine the possible
flow of control and data. We propose the first static analysis to
model GUI-related Android objects, their flow through the application,
and their interactions with each other via the abstractions defined by
the Android platform. A formal semantics for the relevant Android
constructs is developed to provide a solid foundation for this and
other analyses. Next, we propose a constraint-based reference analysis
based on the semantics. The analysis employs a constraint graph to
model the flow of GUI objects, the hierarchical structure of these
objects, and the effects of relevant Android operations. Experimental
evaluation on real-world Android applications strongly suggests that
the analysis achieves high precision with low cost.
The analysis enables static modeling of control/data flow that is
foundational for compiler analyses, instrumentation for
event/interaction profiling, static error checking, security analysis,
test generation, and automated debugging. It provides a key component
to be used by compile-time analysis researchers in the growing area of
Android software.
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Static Reference Analysis for GUI Objects in Android Software
1. Sta$c
Reference
Analysis
for
GUI
Objects
in
Android
So9ware
Atanas
Rountev,
Dacong
(Tony)
Yan
Ohio
State
University
PRESTO:
Program
Analyses
and
So5ware
Tools
Research
Group,
Ohio
State
University
2. MoFvaFon
and
Background
• Android
so5ware
is
used
by
millions
of
users
• Requires
foundaFonal
program
analyses
for
improved
performance
and
quality
• StaFc
reference
analysis
for
Java
•
•
•
•
What
is
the
set
of
run-‐Fme
objects?
Which
variables
contain
references
to
which
objects?
CriFcal
component
of
data-‐
and
control-‐flow
analysis
Prerequisite
for
many
other
techniques
• ExisFng
work
cannot
be
applied
directly
to
Android
• Goal:
develop
a
precise
and
efficient
staFc
reference
analysis
for
Android-‐specific
features
2
3. StaFc
Reference
Analysis
for
Android
Features
• Android
applicaFon
• Driven
by
a
graphical
user
interface
(GUI)
• Ac#vity:
on-‐screen
window
with
GUI
elements
(views)
• Event
handlers:
defined
in
listeners
and
associated
with
views
to
respond
to
user
acFons
• Need
to
model
staFcally
•
•
•
•
3
Views
and
their
hierarchical
structure
AssociaFon
of
views
with
acFviFes
AssociaFon
of
views
with
listeners
Variables
that
refer
to
views,
acFviFes,
and
listeners
16. Modeled
Android
OperaFons
• Inflate
• Create
GUI
structure
from
XML
and
aach
to
acFvity/view
• CreateView
• ProgrammaFcally
create
a
view
through
new
V
• FindView
• Lookup
a
view
from
acFvity
or
ancestor
view
(e.g.,
by
ID)
• SetListener
• Associate
view
and
listener
• AddView
• Establish
parent-‐child
relaFonship
between
two
views
• SetId
16
• ProgrammaFcally
set
the
ID
of
a
view
17. Our
Proposal
• Define
formal
seman#cs
of
GUI-‐related
Android
constructs
• Encode
semanFcs
of
an
Android
applicaFon
in
a
constraint
graph
• Perform
constraint-‐based
staFc
reference
analysis
17
18. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
9
"...
// Inflate!
// SetListener
"...!
void onClick(View d) { ... }
}!
!
!
!
18
Propaga$on
edges
and
relevant
nodes
// FindView!
}
}!
19. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
9
"...
// Inflate!
// SetListener
"...!
void onClick(View d) { ... }
}!
!
MyActivity!
!
!
19
Propaga$on
edges
and
relevant
nodes
// FindView!
}
}!
20. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
9
"...
// Inflate!
// SetListener
"...!
void onClick(View d) { ... }
}!
!
MyActivity!
!
!
20
Propaga$on
edges
and
relevant
nodes
// FindView!
}
}!
21. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
9
"...
// Inflate!
// SetListener
"...!
void onClick(View d) { ... }
}!
!
MyActivity!
!
this2!
!
21
Propaga$on
edges
and
relevant
nodes
// FindView!
}
}!
22. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
9
"...
// Inflate!
// FindView!
// SetListener
}
}!
"...!
void onClick(View d) { ... }
}!
!
MyActivity!
!
c
this2!
!
b
a
22
d
Propaga$on
edges
and
relevant
nodes
this9!
23. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
9
"...
// Inflate!
// FindView!
// SetListener
}
}!
"...!
void onClick(View d) { ... }
}!
!
MyActivity!
Inflate!
c
this2!
id:main!
!
!
b
a
23
d
Propaga$on
edges
and
relevant
nodes
this9!
24. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
9
"...
// Inflate!
// FindView!
// SetListener
}
}!
"...!
void onClick(View d) { ... }
}!
!
c
MyActivity!
this2!
id:main!
Inflate!
b
id:my_btn!
!
FindView!
a
!
24
d
Propaga$on
edges
and
relevant
nodes
this9!
25. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
9
"...
// Inflate!
// FindView!
// SetListener
}
}!
"...!
void onClick(View d) { ... }
}!
!
c
MyActivity!
this2!
id:main!
Inflate!
b
id:my_btn!
!
FindView!
a
!
25
d
Propaga$on
edges
and
relevant
nodes
this9!
26. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
9
"...
// Inflate!
// FindView!
// SetListener
}
}!
"...!
void onClick(View d) { ... }
}!
!
c
MyActivity!
this2!
id:main!
Inflate!
b
id:my_btn!
!
FindView!
a
!
26
d
Propaga$on
edges
and
relevant
nodes
this9!
27. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
9
"...
// Inflate!
// FindView!
// SetListener
}
}!
"...!
void onClick(View d) { ... }
}!
!
c
ButtonListener!
MyActivity!
this2!
id:main!
Inflate!
b
id:my_btn!
!
FindView!
a
!
27
d
Propaga$on
edges
and
relevant
nodes
this9!
28. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
9
"...
// Inflate!
// FindView!
// SetListener
}
}!
"...!
void onClick(View d) { ... }
}!
!
c
ButtonListener!
MyActivity!
this2!
id:main!
Inflate!
b
SetListener!
id:my_btn!
!
FindView!
a
d
!
28
Propaga$on
edges
and
relevant
nodes
this9!
29. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
9
"...
// Inflate!
// FindView!
// SetListener
}
}!
"...!
void onClick(View d) { ... }
}!
!
c
ButtonListener!
MyActivity!
this2!
id:main!
Inflate!
b
SetListener!
id:my_btn!
!
FindView!
a
d
!
29
Propaga$on
edges
and
relevant
nodes
this9!
30. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
10
11
12
"...
// Inflate!
// SetListener
"...!
<RelativeLayout ...>!
<Button android:id=“@+id/my_btn” ... />!
</RelativeLayout>!
RelativeLayout!
child
id:my_btn!
30
view id
Button!
Property
edges
and
relevant
nodes
// FindView!
}
}!
31. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
10
11
12
"...
// Inflate!
// SetListener
// FindView!
}
}!
"...!
<RelativeLayout ...>!
<Button android:id=“@+id/my_btn” ... />!
</RelativeLayout>!
inflater
RelativeLayout!
child
id:my_btn!
31
view id
Button!
Property
edges
and
relevant
nodes
Inflate!
32. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
10
11
12
"...
// Inflate!
// SetListener
// FindView!
}
}!
"...!
<RelativeLayout ...>!
<Button android:id=“@+id/my_btn” ... />!
this
</RelativeLayout>!2!
inflater
MyActivity!
RelativeLayout!
child
id:my_btn!
32
view id
Button!
Property
edges
and
relevant
nodes
Inflate!
33. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
"...
10
11
12
"...
// Inflate!
// SetListener
}
}!
"...!
<RelativeLayout ...>!
<Button android:id=“@+id/my_btn” ... />!
</RelativeLayout>!
MyActivity!
root
inflater
RelativeLayout!
child
id:my_btn!
33
// FindView!
view id
Button!
Property
edges
and
relevant
nodes
Inflate!
34. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
// Inflate!
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
// SetListener
// FindView!
}
}!
"!
MyActivity!
root
inflater
RelativeLayout!
child
id:my_btn!
34
view id
Button!
Property
edges
and
relevant
nodes
Inflate!
35. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
// Inflate!
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
// SetListener
// FindView!
}
}!
"!
MyActivity!
root
inflater
RelativeLayout!
child
id:my_btn!
35
view id
Button!
Property
edges
and
relevant
nodes
Inflate!
36. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
// Inflate!
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
// SetListener
// FindView!
}
}!
"!
lookup
performed
by
FindView
MyActivity!
root
inflater
RelativeLayout!
child
id:my_btn!
36
view id
Button!
Property
edges
and
relevant
nodes
Inflate!
37. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
// Inflate!
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
// SetListener
// FindView!
}
}!
"!
MyActivity!
root
inflater
RelativeLayout!
child
id:my_btn!
37
view id
Button!
Property
edges
and
relevant
nodes
Inflate!
38. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
// Inflate!
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c =!
7
b.setOnClickListener(c);
// FindView!
ButtonListener!
// SetListener
}
}!
"!
MyActivity!
root
inflater
RelativeLayout!
child
id:my_btn!
38
view id
Button!
Property
edges
and
relevant
nodes
Inflate!
39. 1
2
Example
class MyActivity extends Activity {!
void onCreate() {!
3
this.setContentView(R.layout.main);
// Inflate!
4
View a = this.findViewById(R.id.my_btn);
5
Button b = (Button) a;!
6
ButtonListener c = new ButtonListener();!
7
b.setOnClickListener(c);
// SetListener
// FindView!
}
}!
"!
MyActivity!
root
inflater
RelativeLayout!
Inflate!
child
id:my_btn!
39
view id
Button!
listener
ButtonListener!
Property
edges
and
relevant
nodes
40. ImplementaFon
• Input
• Java
bytecode
of
the
applicaFon
• Relevant
XML
files
• Output
•
•
•
•
Parent-‐child
relaFonships
between
views
AssociaFon
of
acFviFes
with
root
views
AssociaFon
of
views
with
listeners
Variables
and
fields
referring
to
views,
acFviFes,
listeners
• Analysis
algorithm
40
1. Create
iniFal
constraint
graph
from
app
code
2. Solve
propagaFon
constraints
for
IDs,
acFviFes,
listeners
3. Fixed-‐point
computaFon
for
flow
of
views
between
operaFon
nodes
41. EvaluaFon
• Experiments
on
20
open-‐source
Android
apps
• Experiment
I
–
applicaFon
characterizaFon
• Constraint
graph:
number
of
various
types
of
nodes
• Result:
Android-‐specific
features
are
widely
used
• Experiment
II
–
analysis
performance
and
precision
41
• Running
Fme
to
perform
the
constraint
analysis
• Less
than
5
seconds
for
each
app
• Average
number
of
objects
for
variables
at
relevant
operaFons
–
e.g.
• v1.addChild(v2)
–
receiver
v1,
parameter
v2
• v
=
x.findViewById(…)
–
result
v
• v.setListener(m)
–
receiver
v,
listener
m
44. Conclusions
• First
staFc
analysis
to
focus
on
GUI-‐related
Android
constructs
• Proposed
constraint-‐based
algorithm
exhibits
high
precision
and
low
cost
• CriFcal
building
block
for
other
analyses
and
tools
for
Android
● So5ware
release
●
●
44
GATOR:
Program
Analysis
Toolkit
For
Android
hp://www.cse.ohio-‐state.edu/presto/so5ware/