Enhancing Vulnerability Detection in Android Native Code:

Addressing Reachability Functions Using Ghidra

1. Kumar Devanshu
2. Mayank Singh
3. Tushpendra Kumar
1Information Technology, Galgotia College of Engineering & Technology, New Delhi, India
[email protected] ORCID ID - 0009-0009-3656-4282
2Information Technology, Galgotia College of Engineering & Technology, Uttar Pradesh, India
[email protected] ORCID ID - 0009-0003-2924-499X
3Information Technology, Galgotia College of Engineering & Technology, Uttar Pradesh, India
[email protected] ORCID ID - 0009-0000-1422-2227

1. The quick increase in Android applications has raised security concerns, especially in native
code, as many vulnerabilities lie under the radar of common examination techniques. This
research tackles an extremely topical knowledge hole in vulnerability evaluation — the
reachability features in native code which might be ignored in the safety evaluation. The goal of
this research is to develop a solution for detecting vulnerabilities related to native libraries
(using Ghidra, an IntelliJ-based advanced reverse-engineering tool. file) libraries used within
Android applications.) The study begins with identifying key vulnerabilities through static
analysis, focusing on critical functions and suspicious strings that could pose security risks.
Implications for Android Security and Developers Based on the analysis results, developers
must strengthen their analysis tools—tools need to be reasonably robust, such as Ghidra, which
is the free option available. The paper also includes some brief recommendations for Android
security research and development which arise from our findings about the implications of the
Android security ecosystem. This work embodies a proposal and top-level analysis that has the
potential to fill a critical gap that can help build safer Android applications.
Keywords: Android Security, Native Code Vulnerabilities, Static Analysis, Ghidra,
Reachability Functions, Reverse Engineering, Dynamic Library Interactions

2. INTRODUCTION

Several studies have explored Android vulnerability detection methods. Notably, the work of
Silvia Lucia Sanna et al. (2024), Jiawei Qin et al. (2020), and Janaka Senanayake et al. (2023) has
contributed significantly to this domain. Their research on static and dynamic analysis, risk
estimation, and security methodologies has influenced our approach. We build upon their findings
to enhance vulnerability detection techniques.

The widespread use of Android applications in daily life has brought about significant
advancements in mobile Page 3 of 15 - AI Writing Submission technology but also introduced
numerous security challenges. Among these challenges, the vulnerabilities in native code,
particularly those residing in native libraries (.so files), pose severe risks that are often
difficult to detect and mitigate. Native code vulnerabilities can be exploited to gain unauthorized
access, execute arbitrary code, or manipulate critical data, leading to severe security breaches.
This research addresses a specific and critical gap in vulnerability analysis: the reachability
functions in native code. Current vulnerability detection methods of tenover look these
functions, leaving application sex posed to attacks. This study leverages advanced static analysis
using Ghidra to enhance the identification and mitigation of these hidden vulnerabilities.
3. BACKGROUND AND RELATED WORK
The goal of prioritizing the test cases is to sort test case as per their priority so that maximum
faults can be detected in less time hence decreasing the cost of regression testing also. Since,
testers need to run the test cases first to know the fault detection efficiency of any TCP
technique, therefore researchers have proposed various coverage- based metrics for test case
prioritization. Researchers have distributed coverage-based TCP methods into two main classes-
metrics for white box and black box. White box coverage metrics mainly include statement
coverage, block coverage, branch coverage, function coverage etc. Researchers have also
proposed various methods for black box coverage metrics such as t-wise technique, calculated
diversity of inputs with help of NCD, Jaccard distance, Levenshtein distance etc. After selecting
criteria for prioritization for most of the above-mentioned methods, test cases are sorted by
greedy algorithm.

2. Literature Review:

With the complexities and integrations in them, vulnerability analysis in Android applications
has emerged as the key area of cybersecurity research. This chapter surveys current research and
tools in the field of vulnerability detection, focuses on critical studies that advanced the
discipline, and presents particular gaps in current research, particularly regarding reachability
function analysis in native code. This literature review is mainly based on "A Risk Estimation
Study of Native Code (2024)" as the reference and is further complemented with insights from
two other related studies about Android vulnerability detection.

2.1 Overview of Vulnerability Analysis in Android Applications:

Android application vulnerability analysis can be broadly classified as static and dynamic. It
refers to the code that does not execute and tries to find vulnerabilities based on source code,
bytecode, or binary analysis. These are generally used with Ghidra, Androguard, and MobSF
because of their capability of reverse-engineering code to look for unknown security
weaknesses. Dynamic analysis, on the other hand, is monitoring the application during runtime
to catch suspicious behavior, mostly using tools such as Frida, Xposed, and Drozer.

Methodology:
The methodology uses Ghidra, APKTool, Python scripts, and APK datasets to analyze native
libraries, requiring expertise in reverse engineering, static analysis, Android security, and C/C+
+ vulnerabilities.

ProjectPlanningPhases:
The project involves problem identification, tool setup, static analysis via Ghidra,
documentation of findings, solution implementation, and reporting, addressing native code
reachability gaps and vulnerabilities systematically.

Ghidra's advanced features like binary import, function and string analysis, and automated
scripting enhance vulnerability detection in native libraries, surpassing traditional static analysis
methods with precision and efficiency.

Data set Description :

The dataset, sourced from APKMirror, includes diverse Android APKs with native .so libraries,
providing a comprehensive foundation for analyzing vulnerabilities in native code across
various applications.

Environment Configuration:
The controlled environment features an Intel i7 processor, 32GB RAM, 1TB SSD, and GTX
1660 GPU, with Ghidra, APKTool, Python, and VS Code for comprehensive native code
analysis.

Discussion:
This study advances Android security by addressing overlooked reachability function
vulnerabilities, outlines broader implications for security practices, acknowledges limitations,
and offers recommendations for future research improvements

6. RESULTS
Table B.1: List of all identified vulnerable functions across the analyzed libraries, including
descriptions and potential security risks. 2. Table B.2: Comparative analysis of vulnerabilities
found using Ghidra versus those detected by traditional tools, including percentages and
examples.

7. CONCLUSION AND FUTURE SCOPE

This paper presents an overall approach to improving vulnerability detection in native code
within Android applications, addressing a critical gap in the identification of reachability
functions. Using the advanced static analysis capabilities in Ghidra, the research successfully
identifies hidden vulnerabilities that have been often overlooked by traditional tools, including
dynamic library interactions, insecure API calls, and conditional code execution paths.
The key findings are presented: the suggested methodology contributes huge improvements for
detecting vulnerabilities mainly in complicated and obfuscated native code, when more
traditional analysis approaches are inappropriate to use. By looking at reachability functions this
paper reveals hidden points of exploit leading to quite serious threats with security, enabling
developers as well as security researchers to better describe vulnerabilities in native code.
This research practically impacts the field in its ability to increase Android application security
by equipping developers with effective tools and techniques for early native code vulnerability
detection. This is a two-fold approach that enhances not only the security posture of individual
 applications but also supports the greater effort of safeguarding Android ecosystems from more
complex threats.
Future studies can leverage this paper by integrating dynamic analysis techniques, increasing
the datasets used, and using automated tools that can help enhance vulnerability detection. The
work presented herein contributes valuable knowledge and methodology to the field of Android
security, thus providing a great basis for applications that would otherwise be insecure and less
reliable

Acknowledgment
We acknowledge the contributions of Silvia Lucia Sanna et al. (2024), Jiawei Qin et al. (2020),
and Janaka Senanayake et al. (2023), whose studies on Android vulnerability detection and risk
estimation provided a strong foundation for our analysis. Their methodologies have influenced our
approach and helped shape this research.

REFERENCES
1. Arisk estimation study of native code (2024).
2. Qin, J., Zhang, H., Guo, J., Wang, S., Wen, Q., & Shi, Y. (2020). Vulnerability Detection on Android
Apps Inspired by Case Study on Vulnerability Related With Web Functions. IEEE Access, 8, 106437-
106451. DOI: 10.1109/ACCESS.2020.2998043.

3. Sun, C., Zhang, H., Qin, J., & Pan, H. (2018). DexX: A Double Layer Unpacking
Framework for Android. IEEE Access, 6, 61267-61276
DOI:10.1109/ACCESS.2018.2876789.

4. S. L. Sanna, D. Soi, D. Maiorca, G. Fumera, and G. Giacinto, "A Risk Estimation Study of
Native Code Vulnerabilities in Android Applications," Journal of Cybersecurity, vol. 10, no. 1,
2024. DOI: 10.1093/cybsec/tyae015.
5. J. Qin, H. Zhang, J. Guo, S. Wang, Q. Wen, and Y. Shi, "Android Source Code Vulnerability
Detection: A Systematic Literature Review," ACM Computing Surveys, vol. 55, no. 9, pp.
187:1-187:37, 2023. DOI: 10.1145/3556974.

Script Overview:

Results Interpretation:
 ● Reachable Functions: Lists all functions accessible within the
binary, including their names and entry points.

Dynamically Referenced Symbols: Shows symbols, like those resolved with dlsym, that are
dynamically linked in the binary.