# Who you gonna call? Analyzing Web Requests in Android Applications

**Authors:** Marianna Rapoport, Philippe Suter, Erik Wittern, Ond\v{r}ej Lhot\'ak,, Julian Dolby

arXiv: 1705.06629 · 2017-05-22

## TL;DR

This paper compares dynamic and static analysis methods for extracting web request URLs from Android apps, introducing Stringoid, a static analysis tool, and evaluating its performance and limitations.

## Contribution

It presents Stringoid, a novel static analysis tool for estimating URLs in Android apps, and compares its effectiveness with dynamic data collection.

## Key findings

- Stringoid effectively estimates URLs in Android apps.
- Static analysis complements dynamic data collection.
- Limitations exist in static analysis accuracy.

## Abstract

Relying on ubiquitous Internet connectivity, applications on mobile devices frequently perform web requests during their execution. They fetch data for users to interact with, invoke remote functionalities, or send user-generated content or meta-data. These requests collectively reveal common practices of mobile application development, like what external services are used and how, and they point to possible negative effects like security and privacy violations, or impacts on battery life. In this paper, we assess different ways to analyze what web requests Android applications make. We start by presenting dynamic data collected from running 20 randomly selected Android applications and observing their network activity. Next, we present a static analysis tool, Stringoid, that analyzes string concatenations in Android applications to estimate constructed URL strings. Using Stringoid, we extract URLs from 30, 000 Android applications, and compare the performance with a simpler constant extraction analysis. Finally, we present a discussion of the advantages and limitations of dynamic and static analyses when extracting URLs, as we compare the data extracted by Stringoid from the same 20 applications with the dynamically collected data.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1705.06629/full.md

## Figures

7 figures with captions in the complete paper: https://tomesphere.com/paper/1705.06629/full.md

## References

23 references — full list in the complete paper: https://tomesphere.com/paper/1705.06629/full.md

---
Source: https://tomesphere.com/paper/1705.06629