[Paper] GAPS: Guiding Dynamic Android Analysis with Static Path Synthesis

Source: arXiv - 2511.23213v1

Overview

The paper introduces GAPS (Graph‑based Automated Path Synthesizer), a novel system that bridges static code analysis and dynamic UI‑driven testing to reliably reach arbitrary methods inside Android apps. By automatically synthesizing execution paths from the app’s call graph, GAPS enables developers and security analysts to drive the runtime toward code that traditional GUI‑only testers miss—such as library functions or background services.

Key Contributions

• First hybrid framework that combines lightweight static backward call‑graph traversal with data‑flow guidance to generate concrete interaction scripts.
• Path synthesis algorithm that translates static call‑graph edges into UI actions (clicks, intents, etc.) executable at runtime.
• Comprehensive evaluation on the AndroTest benchmark and 50 popular real‑world apps, showing a 5‑6× improvement in method reachability over the best existing dynamic tools.
• Performance‑aware design: static analysis averages 4.27 s per app on the benchmark (278.9 s on large real apps) while preserving high precision.
• Open‑source implementation (GAPS) that can be integrated into existing Android testing pipelines.

Methodology

1. Static Call‑Graph Construction – GAPS builds a method‑level call graph using a fast, flow‑insensitive analyzer.
2. Backward Traversal – Starting from a target method (e.g., a suspected vulnerable API), the system walks backward through the graph, collecting candidate predecessor methods that could invoke the target.
3. Data‑Flow Filtering – A lightweight data‑flow analysis prunes infeasible branches by checking whether required objects/parameters can actually be produced by the preceding code.
4. Path Translation – The surviving call‑graph edges are mapped to concrete UI events (button clicks, intent launches, service starts). GAPS emits an instruction script compatible with Android’s UI‑Automator framework.
5. Dynamic Execution – The script is fed to a runtime engine that interacts with the app on an emulator/device, attempting to follow the synthesized path and trigger the target method.
6. Feedback Loop – If execution fails, GAPS can backtrack, try alternative branches, or fall back to a generic GUI‑fuzzer.

The entire pipeline is automated: a developer only needs to specify the methods they want to reach.

Results & Findings

Takeaway: GAPS dramatically outperforms pure dynamic UI testers and even static‑only analyses, achieving over 50 % dynamic reachability on real apps while keeping analysis time within a few minutes.

Practical Implications

• Security Audits – Penetration testers can target specific cryptographic or permission‑checking APIs without manually crafting UI flows, accelerating vulnerability validation.
• Automated Regression Testing – CI pipelines can embed GAPS scripts to guarantee that critical code paths (e.g., payment processing) are exercised on every build.
• Debugging & Crash Reproduction – Developers can ask GAPS to reach a method that throws an exception, automatically generating the steps needed to reproduce the bug on a device.
• Library Integration Checks – When integrating third‑party SDKs, teams can verify that the SDK’s initialization and usage paths are actually reachable on target devices.
• Toolchain Compatibility – GAPS outputs UI‑Automator/ADB commands, making it drop‑in compatible with existing Android testing frameworks (Espresso, Robotium, etc.).

Limitations & Future Work

• Static Approximation – The call graph is flow‑insensitive; highly dynamic features (reflection, dynamic class loading) may still be missed, limiting reachability for some obfuscated apps.
• Environment Dependence – Certain paths require specific device states (e.g., network, sensors) that GAPS does not currently model, leading to occasional execution failures.
• Scalability on Very Large Apps – While acceptable for most market apps, analysis time grows with app size; future work will explore incremental or parallel graph construction.
• User‑Defined Constraints – Extending the synthesis engine to accept custom preconditions (e.g., logged‑in user, specific locale) is a planned enhancement.

Overall, GAPS marks a significant step toward making deep, method‑level Android analysis practical for developers and security professionals alike.

Authors

• Samuele Doria
• Eleonora Losiouk

Paper Information

• arXiv ID: 2511.23213v1
• Categories: cs.SE
• Published: November 28, 2025
• PDF: Download PDF