Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Statically extracts URL strings from Android applications.


The installation requires you to build WALA (the T.J. Watson Libraries for Analysis) and to compile Stringoid to work.

Build WALA

Prerequisites: make sure to have the Android SDK and its build-tools installed (a proven-to-be-compatible version is 23.0.1).

  1. Clone
  2. Copy build-tools/*/lib/dx.jar (typically located at /Users/<username>/Library/Android/sdk/ on a Mac) to Create the lib directory if need be.
  3. Run mvn clean install -DskipTests=true -q (Note: requires Maven >=3.0, or you get a completely uninformative BUILD FAILED error. You need svn to be installed. If this step succeeds, WALA will be available as a bunch of Maven packages locally.)

Compile Stringoid

  1. Clone this project using git clone
  2. Rename / copy src/main/resources/application.conf.example to src/main/resources/application.conf (remove the .example) and provide the paths for rt.jar (typically found at /Library/Java/JavaVirtualMachines/jdk*.*.*_**.jdk/Contents/Home/jre/lib/rt.jar on a Mac) and android.jar (typically found at /Applications/Android on a Mac) within the newly created file.

Run stringoid

Once Stringoid has been installed, you can either run its tests using:

test // from within sbt

...or you can point it to run on a specific Android application (.apk file) from the root directory of the project:

java -cp target/scala-2.10/stringoid-assembly-0.1.jar -a append --lib false --ir-source interproc -u false <path/to/.apk-file>

Some example .apk files are provided in this project under stringoid/dynamic-instrumentation/real-apks/.

How to run on Spark

  1. Get Spark. Pick the same version as in build.sbt, pre-compiled for Hadoop works.
  2. Run sbt assembly
  3. Run spark-submit --master local[1] --class target/.../stringoid-assembly....jar constants src/test/resources spark-out 0, or similar.

Create and run tests

  1. Create Java source tests and put them into the src/test/java/moretests directory. You can look at the file to see an example. To create a test, write a Java program that creates URLs in some interesting way. Then, if you want to check whether stringoid detects a URL "http://xxx" or "https://yyy", write somewhere (for example in the main method):
  • Assertions.shouldContainHttp("xxx");
  • Assertions.shouldContainHttp("yyy");

That is, don't include the "http://" or "https://" as part of the URL in the assertion. 2. To run the tests, you can use sbt test from your command line. If you're using an IDE, you can go to src/test/scala/com/ibm/stringoid/ConcatenationSpec.scala and run the tests directly from there (if you use IntelliJ, right-click the file and select "Run ConcatenationSpec"). Note the following:

  1. The tests will run an inter-procedural analysis.
  2. The analysis will not detect string concatenation with the "+" operator. To write "http://" + "", you can write anything like: - StringBuilder sb = new StringBuilder(); - sb.append("http://"); - sb.append(""); - String s = url.toString; - String s = new StringBuilder("http://").append("").toString;
  3. The analysis will create an acyclic control-flow graph. Here is one consequence: consider the program
StringBuilder sb = new StringBuilder("http://");
while (...) { sb.append(""); }

Stringoid will detect the URLs "http://", "", and "http://path", but not "". 4. Please make sure that the methods in which you construct URLs are reachable from the main method of the public class in the Java test file you're implementing.


Retrieving URLs from APK files



No releases published


No packages published

Contributors 4

You can’t perform that action at this time.