Faculty of Science, Technology and Medicine
Faculty of Law, Economics and Finance
Faculty of Humanities, Education and Social Sciences
Interdisciplinary Centre for Security, Reliability and Trust
Luxembourg Centre for Systems Biomedicine
Luxembourg Centre for Contemporary and Digital History
Luxembourg Centre for European Law
Luxembourg Centre for Socio-Environmental Systems
The Doctoral School in Science and Engineering is happy to invite you to Marco ALECCI’s defence entitled
Context Is Key: Combining Static Analysis and AI for Actionable Android App Analysis
Supervisor: Prof Jacques KLEIN
Android apps are a central part of our lives; they support a wide range of activities such as communication, navigation, finance, health, and more. Apps handle sensitive data on a daily basis; therefore, ensuring their security and privacy is paramount. Today, app security heavily relies on automated analysis tools. Among these, static analyzers play a central role in identifying suspicious behaviors, potential vulnerabilities, and other security and privacy risks at scale.
In practice, when static analysis tools are used, they often overwhelm practitioners with drastically large volumes of results. Inspecting all such outputs not only increases the cognitive burden on analysts but also reduces the practical utility of static analysis, making it difficult to extract actionable insights. Additionally, many of these results are false alarms or irrelevant to the specific analysis task, which limits their concrete actionability.
One main reason for this limitation is that static analysis tools typically operate with limited awareness of the app’s intended functionality and the analyst’s objective. As an example, one may consider that some location data flowing out of a navigation app is part of its normal operation and expected behavior. At the same time, the same data flow in a calculator app may be highly suspicious and should be prioritized by an analyst. To make static analyzers practical and effective, such information must be taken into account. Hence, context is key.
In this manuscript, we present contributions that address these challenges by improving the actionability and relevance of Android app static analysis. This work is organized into three parts.
In Part I, we revisit Android app categorization, which directly affects an app’s expected functionality. Existing categorizations, such as Google Play categories, are often too broad to capture meaningful behavioral differences between apps, limiting the effectiveness of context-aware analysis. To address this, we construct the first ground-truth dataset of fine-grained categorized apps and propose a new categorization approach, which better reflects the expected behavior of applications.
In Part II, we introduce two analysis approaches leveraging multiple category-specific anomaly detection models to identify unusual behaviors: Difuzer++, which focuses on logic bombs, and DamFlow, which targets sensitive data leaks. By integrating contextual understanding of app behavior, these tools reduce the burden on the analyst and make the results more actionable.
In Part III, we explore the analysis context itself. Specifically, we propose an LLM-based approach that allows practitioners aiming for data leak detection to focus on specific data flows (e.g., location data sent via SMS) rather than all possible flows. This approach allows prioritization of results based on the analysis objective while also reducing false negatives introduced by existing approaches. Altogether, this manuscript advances Android app analysis by combining app categorization, context-aware anomaly detection, and task-specific flow analysis. The contributions make static analysis outputs more relevant and actionable, empowering practitioners to efficiently identify security and privacy risks in real-world apps.