Who you gonna call? Analyzing Web Requests in Android Applications
This addresses security and privacy concerns for Android users and developers, though it is incremental as it compares existing analysis methods.
The paper tackles the problem of analyzing web requests in Android applications by comparing dynamic and static analysis approaches, finding that their static analysis tool Stringoid extracted URLs from 30,000 apps and performed comparably to dynamic analysis on 20 apps.
Relying on ubiquitous Internet connectivity, applications on mobile devices frequently perform web requests during their execution. They fetch data for users to interact with, invoke remote functionalities, or send user-generated content or meta-data. These requests collectively reveal common practices of mobile application development, like what external services are used and how, and they point to possible negative effects like security and privacy violations, or impacts on battery life. In this paper, we assess different ways to analyze what web requests Android applications make. We start by presenting dynamic data collected from running 20 randomly selected Android applications and observing their network activity. Next, we present a static analysis tool, Stringoid, that analyzes string concatenations in Android applications to estimate constructed URL strings. Using Stringoid, we extract URLs from 30, 000 Android applications, and compare the performance with a simpler constant extraction analysis. Finally, we present a discussion of the advantages and limitations of dynamic and static analyses when extracting URLs, as we compare the data extracted by Stringoid from the same 20 applications with the dynamically collected data.