pith. sign in

arxiv: 2606.09528 · v1 · pith:ZIKN7VOFnew · submitted 2026-06-08 · 💻 cs.SE

Relocate and Emulate: Re-Hosting Android's Application Layer

Thomas Sutter , Timo Kehrer , Bernhard Tellenbach , Marc Rennhard This is my paper

Pith reviewed 2026-06-27 15:25 UTC · model grok-4.3

classification 💻 cs.SE
keywords re-hostingAndroid emulatordynamic analysisfirmware relocationAOSP integrationvendor emulationapplication layer
0
0 comments X

The pith

A re-hosting method extracts Android framework components from real firmware and injects them into AOSP builds to produce working vendor-flavored emulator images.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes a systematic way to relocate the Android framework and pre-installed apps from physical device firmware into a fully emulated environment. It does so by developing tailored extraction and injection strategies that fold vendor-specific pieces into the standard AOSP build system. If successful, this removes the need for physical hardware when performing dynamic analysis of real-world Android components, including proprietary binaries. The method was applied to 184 firmware samples across SDK versions 31-33 and produced high rates of successful builds and boots. Residual failures are traced mainly to baseline strategy limits or device protections, with the modular design intended to support further extensions.

Core claim

Our approach integrates vendor-specific components into the Android Open Source Project (AOSP) build system using tailored extraction and injection strategies, producing vendor-flavoured emulator images that preserve system integrity and runtime compatibility. This enables dynamic execution of real-world framework and application-layer components, including proprietary binaries and pre-installed apps, across multiple SDK versions.

What carries the argument

Tailored extraction and injection strategies that relocate and integrate vendor-specific firmware components into AOSP builds.

If this is right

  • Dynamic execution of real framework components and pre-installed apps becomes possible inside emulators rather than on physical devices.
  • Vendor-flavored images can be produced for multiple SDK versions while keeping system integrity.
  • Modular injection strategies can be extended for additional firmware families to increase coverage.
  • Scalable and reproducible dynamic analysis of application-layer behavior is supported without hardware constraints.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Security researchers could test the same proprietary app against many vendor variants in parallel without acquiring devices.
  • Automated selection of injection strategies based on firmware metadata could reduce manual adaptation effort.
  • The same relocation technique might be adapted to study system-level behaviors under controlled emulator conditions.

Load-bearing premise

Tailored extraction and injection strategies can be developed modularly for diverse vendor firmware while still preserving runtime compatibility.

What would settle it

Building and booting emulator images from a new set of firmware samples and checking whether core services initialize and proprietary apps execute without unresolvable failures.

Figures

Figures reproduced from arXiv: 2606.09528 by Bernhard Tellenbach, Marc Rennhard, Thomas Sutter, Timo Kehrer.

Figure 1
Figure 1. Figure 1: Android architecture with logical layers. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overview of the re-hosting workflow, leveraging the AOSP build [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Application-Layer Coverage Ratios The overall success rate of a sample can then be expressed as S(x) = P t∈T s(x, t) |T | . Similarly, the average success rate across a subset of sam￾ples Di ⊆ D is S(Di) = 1 |Di | X x∈Di S(x). Finally, for RQ3, we compare the running times in our build pipeline to unmodified baseline AOSP builds, and resort to a qualitative failure analysis for RQ4. VII. EXPERIMENTAL RESUL… view at source ↗
Figure 4
Figure 4. Figure 4: AOSP Build Times with Injected Modules 0.00 0.02 0.04 0.06 Fraction of Build Time SDK31 SDK32 SDK33 SDK Version [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Post Injector Build Times in Fraction of the Build Time [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
read the original abstract

Dynamic analysis of Android's application layer typically relies on physical devices, limiting scalability and reproducibility. To compensate, we introduce a systematic re-hosting method that relocates the Android framework and pre-installed software from real device firmware into a fully emulated environment. Our approach integrates vendor-specific components into the Android Open Source Project (AOSP) build system using tailored extraction and injection strategies, producing vendor-flavoured emulator images that preserve system integrity and runtime compatibility. This enables dynamic execution of real-world framework and application-layer components, including proprietary binaries and pre-installed apps, across multiple SDK versions. We evaluate our method on 184 firmware samples from SDK 31-33. It achieves high build and boot success rates, with residual failures primarily occurring during core-service initialization due to baseline strategy limitations, missing dependencies, device-protection checks, or emulator constraints. However, the modular design allows injection strategies to be extended for specific firmware, supporting broader compatibility and future research on automated, adaptive re-hosting. Though we identified potential for optimization through engineering vendor-specific solutions, our research demonstrates the feasibility of vendor-flavoured emulators for scalable, reproducible dynamic analysis.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper introduces a re-hosting method ('Relocate and Emulate') that extracts vendor-specific components from Android firmware and injects them into the AOSP build system via tailored strategies, producing emulated images claimed to preserve system integrity and runtime compatibility. This enables dynamic analysis of framework and pre-installed apps (including proprietary binaries) across SDK versions. Evaluation on 184 firmware samples (SDK 31-33) reports high build and boot success rates, with residual failures attributed to baseline limitations, missing dependencies, device checks, or emulator constraints; the modular design is asserted to support future extensions.

Significance. If the runtime-compatibility claim holds, the work would enable scalable, reproducible dynamic analysis of real-world Android application-layer components without physical devices, addressing a key limitation in Android security and software engineering research. The empirical scale (184 samples) and engineering focus on modular injection strategies are strengths, though the absence of post-boot validation metrics limits immediate impact.

major comments (2)
  1. [Results/Evaluation] Results/Evaluation section: The central claim that the produced images 'preserve ... runtime compatibility' enabling 'dynamic execution of real-world framework and application-layer components' is not supported by the reported metrics. Only aggregate build and boot success rates are given; no data on post-boot execution (e.g., app launch success, framework service calls, or behavioral equivalence) or detailed error analysis of the residual failures is provided, leaving the primary contribution under-validated.
  2. [Abstract and Evaluation] Abstract and evaluation description: The assertion that 'the modular design allows injection strategies to be extended for specific firmware' is presented without demonstration on the failure cases or evidence of extensibility beyond the baseline strategy, which directly bears on the claim of broader compatibility.
minor comments (1)
  1. [Abstract] The abstract states 'high build and boot success rates' without quantifying the rates or providing a breakdown by SDK version or failure mode; adding these would improve clarity.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive review. We address each major comment below and indicate where revisions will be made to strengthen the manuscript.

read point-by-point responses

  1. Referee: [Results/Evaluation] Results/Evaluation section: The central claim that the produced images 'preserve ... runtime compatibility' enabling 'dynamic execution of real-world framework and application-layer components' is not supported by the reported metrics. Only aggregate build and boot success rates are given; no data on post-boot execution (e.g., app launch success, framework service calls, or behavioral equivalence) or detailed error analysis of the residual failures is provided, leaving the primary contribution under-validated.

    Authors: We agree that the evaluation focuses on build and boot success rates as the primary quantitative metrics, which we use as indicators that the relocated components integrate sufficiently for the system to reach a runnable state. Boot success is a necessary precondition for any subsequent dynamic execution. However, we acknowledge that direct evidence of post-boot runtime compatibility (such as app launch rates or service call success) is not reported. In the revised manuscript we will add a new subsection with post-boot validation results on a representative subset of the successful images, including attempts to launch pre-installed apps and invoke framework services, plus a more granular breakdown of the residual failure modes. revision: yes

  2. Referee: [Abstract and Evaluation] Abstract and evaluation description: The assertion that 'the modular design allows injection strategies to be extended for specific firmware' is presented without demonstration on the failure cases or evidence of extensibility beyond the baseline strategy, which directly bears on the claim of broader compatibility.

    Authors: The manuscript describes the modular architecture in Section 4, where each injection strategy is implemented as an independent module that can be selected or extended per firmware. We did not, however, apply alternative strategies to the failure cases within the current evaluation. We will revise the evaluation section to include a brief case study demonstrating how one additional strategy could address a subset of the reported failures, thereby providing concrete evidence of extensibility. revision: partial

Circularity Check

0 steps flagged

No circularity: empirical engineering method with direct evaluation on external samples

full rationale

The paper describes a re-hosting technique via extraction/injection into AOSP, evaluated by build/boot success rates on 184 external firmware samples. No equations, fitted parameters renamed as predictions, or self-citation chains appear in the provided text. The runtime-compatibility claim is supported (or not) by the reported metrics rather than being definitionally equivalent to the method itself. This matches the default case of a self-contained empirical systems contribution with no load-bearing reductions to inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Based solely on the abstract, the approach relies on the standard AOSP build system and the feasibility of vendor-specific adaptations; no free parameters, invented entities, or additional axioms beyond domain assumptions about Android firmware structure are identified.

axioms (1)
  • domain assumption Vendor-specific components from real device firmware can be extracted and injected into AOSP while preserving system integrity and runtime compatibility.
    This is the core premise of the re-hosting method described in the abstract.

pith-pipeline@v0.9.1-grok · 5737 in / 1166 out tokens · 32394 ms · 2026-06-27T15:25:55.172583+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

31 extracted references · 8 canonical work pages

  1. [1]

    From zygote to morula: Fortifying weakened aslr on android,

    B. Lee, L. Lu, T. Wang, T. Kim, and W. Lee, “From zygote to morula: Fortifying weakened aslr on android,” inProceedings of the 2014 IEEE Symposium on Security and Privacy. San Jose, California, USA: IEEE, 2014, pp. 424–439, presented at IEEE S&P 2014. [Online]. Available: https://ieeexplore.ieee.org/document/6853550

    arXiv 2014

  2. [2]

    Keep me updated: An empirical study of proprietary vendor blobs in android firmware,

    E. Wen, J. Shen, and B. Wuensche, “Keep me updated: An empirical study of proprietary vendor blobs in android firmware,” inProceedings of the 2024 IEEE 30th International Conference on Parallel and Distributed Systems (ICPADS). Singapore: IEEE, 2024, pp. 116–125, accepted for publication; presented at ICPADS 2024. [Online]. Available: https://www.computer...

    2024

  3. [3]

    Do androids dream of electric sheep? on privacy in the android supply chain,

    J. A. P. Gamba, “Do androids dream of electric sheep? on privacy in the android supply chain,” Ph.D. dissertation, Universidad Carlos III de Madrid (UC3M), Madrid, Spain, 2022, awarded the CNIL-INRIA Privacy Protection Award and the 2020 AEPD Emilio Aced Prize. [Online]. Available: https://e-archivo.uc3m.es/bitstream/handle/10016/ 35812/tesis gamba.pdf

    2022

  4. [4]

    Taming android fragmentation: characterizing and detecting compatibility issues for android apps,

    L. Wei, Y . Liu, and S.-C. Cheung, “Taming android fragmentation: characterizing and detecting compatibility issues for android apps,” inProceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, ser. ASE ’16. New York, NY , USA: Association for Computing Machinery, 2016, p. 226–237. [Online]. Available: https://doi.org/1...

    work page doi:10.1145/2970276.2970312 2016

  5. [5]

    Under- standing and detecting fragmentation-induced compatibility issues for android apps,

    L. Wei, Y . Liu, S.-C. Cheung, H. Huang, X. Lu, and X. Liu, “Under- standing and detecting fragmentation-induced compatibility issues for android apps,”IEEE Transactions on Software Engineering, vol. 46, no. 11, pp. 1176–1199, 2020

    2020

  6. [6]

    The impact of vendor customizations on android security,

    L. Wu, M. Grace, Y . Zhou, C. Wu, and X. Jiang, “The impact of vendor customizations on android security,” inProceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, ser. CCS ’13. New York, NY , USA: Association for Computing Machinery, 2013, p. 623–634. [Online]. Available: https: //doi.org/10.1145/2508859.2516728

    work page doi:10.1145/2508859.2516728 2013

  7. [7]

    Elegant: Towards effective location of fragmentation-induced compatibility issues for android apps,

    C. Li, C. Xu, L. Wei, J. Wang, J. Ma, and J. Lu, “Elegant: Towards effective location of fragmentation-induced compatibility issues for android apps,” inProceedings of the 2018 25th Asia-Pacific Software Engineering Conference (APSEC). Nara, Japan: IEEE, 2018, pp. 278–287, accepted for publication; presented at APSEC 2018. [Online]. Available: https://iee...

    arXiv 2018

  8. [8]

    Definit: An analysis of exposed android init routines,

    Y . Ji, M. Elsabagh, R. Johnson, and A. Stavrou, “Definit: An analysis of exposed android init routines,” inProceedings of the 30th USENIX Security Symposium (USENIX Security ’21). Virtual: USENIX Association, 2021, pp. 3685–3702. [Online]. Available: https://www.usenix.org/conference/usenixsecurity21/presentation/ji

    2021

  9. [9]

    FIRMSCOPE: Automatic uncovering of privilege- escalation vulnerabilities in pre-installed apps in android firmware,

    M. Elsabagh, R. Johnson, A. Stavrou, C. Zuo, Q. Zhao, and Z. Lin, “FIRMSCOPE: Automatic uncovering of privilege- escalation vulnerabilities in pre-installed apps in android firmware,” inProceedings of the 29th USENIX Security Symposium (USENIX Security ’20). Boston, MA, USA: USENIX Association, Aug. 2020, pp. 2379–2396. [Online]. Available: https: //www.u...

    2020

  10. [10]

    Towards understanding android system vulnerabilities: Techniques and insights,

    D. Wu, D. Gao, E. K. T. Cheng, Y . Cao, J. Jiang, and R. H. Deng, “Towards understanding android system vulnerabilities: Techniques and insights,” inProceedings of the 2019 ACM Asia Conference on Computer and Communications Security, ser. Asia CCS ’19. New York, NY , USA: Association for Computing Machinery, 2019, p. 295–306. [Online]. Available: https://...

    work page doi:10.1145/3321705.3329831 2019

  11. [11]

    Dynamic security analysis on android: A systematic literature review,

    T. Sutter, T. Kehrer, M. Rennhard, B. Tellenbach, and J. Klein, “Dynamic security analysis on android: A systematic literature review,”IEEE Access, vol. 12, pp. 57 261–57 287, 2024

    2024

  12. [12]

    An analysis of pre-installed android software,

    J. Gamba, M. Rashed, A. Razaghpanah, J. Tapiador, and N. Vallina- Rodriguez, “An analysis of pre-installed android software,” inProceed- ings of the 2020 IEEE Symposium on Security and Privacy (SP). San Francisco, CA, USA: IEEE, 2020, pp. 1039–1055

    2020

  13. [13]

    Firmwaredroid: Towards automated static analysis of pre-installed android apps,

    T. Sutter and B. Tellenbach, “Firmwaredroid: Towards automated static analysis of pre-installed android apps,” inProceedings of the 2023 IEEE/ACM 10th International Conference on Mobile Software Engineer- ing and Systems (MOBILESoft). Melbourne, Australia: IEEE/ACM, 2023, pp. 12–22

    2023

  14. [14]

    BigMAC: Fine-grained policy analysis of android firmware,

    G. Hernandez, D. J. Tian, A. S. Yadav, B. J. Williams, and K. R. Butler, “BigMAC: Fine-grained policy analysis of android firmware,” inProceedings of the 29th USENIX Security Symposium (USENIX Security ’20). Boston, MA, USA: USENIX Association, Aug. 2020, pp. 271–287. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity20/presentation/hernandez

    2020

  15. [15]

    An analysis of pre-installed android software,

    J. Gamba, M. Rashed, A. Razaghpanah, J. Tapiador, and N. Vallina- Rodriguez, “An analysis of pre-installed android software,” in2020 IEEE symposium on security and privacy (SP). IEEE, 2020, pp. 1039–1055

    2020

  16. [16]

    Android rooting: Methods, detection, and evasion,

    S.-T. Sun, A. Cuadros, and K. Beznosov, “Android rooting: Methods, detection, and evasion,” inProceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, ser. SPSM ’15. New York, NY , USA: Association for Computing Machinery, 2015, p. 3–14. [Online]. Available: https://doi.org/10.1145/2808117.2808126

    work page doi:10.1145/2808117.2808126 2015

  17. [17]

    Pandawan: Quantifying progress in linux-based firmware rehosting,

    I. Angelakopoulos, G. Stringhini, and M. Egele, “Pandawan: Quantifying progress in linux-based firmware rehosting,” in 33rd USENIX Security Symposium (USENIX Security 24). Philadelphia, PA: USENIX Association, Aug. 2024, pp. 5859–5876. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity24/presentation/angelakopoulos

    2024

  18. [18]

    Towards automated dynamic analysis for linux-based embedded firmware,

    D. D. Chen, M. Woo, D. Brumley, and M. Egele, “Towards automated dynamic analysis for linux-based embedded firmware,” inProceedings of the Network and Distributed System Security Symposium (NDSS). San Diego, CA, USA: Internet Society, Feb. 2016, pp. 1–10. [Online]. Available: https://www.ndss-symposium.org/wp-content/uploads/2017/09/ towards-automated-dyn...

    2016

  19. [19]

    Firmae: Towards large-scale emulation of iot firmware for dynamic analysis,

    M. Kim, D. Kim, E. Kim, S. Kim, Y . Jang, and Y . Kim, “Firmae: Towards large-scale emulation of iot firmware for dynamic analysis,” inProceedings of the 36th Annual Computer Security Applications Conference, ser. ACSAC ’20. New York, NY , USA: Association for Computing Machinery, 2020, p. 733–745. [Online]. Available: https://doi.org/10.1145/3427228.3427294

    work page doi:10.1145/3427228.3427294 2020

  20. [20]

    Firmporter: Porting rtoses at the binary level for firmware re-hosting,

    M. Xin, H. Wen, L. Deng, H. Li, Q. Li, and L. Sun, “Firmporter: Porting rtoses at the binary level for firmware re-hosting,” inInformation and Communications Security: 26th International Conference, ICICS 2024, Mytilene, Greece, August 26–28, 2024, Proceedings, Part II. Berlin, Heidelberg: Springer-Verlag, 2024, p. 310–331. [Online]. Available: https://do...

    work page doi:10.1007/978-981-97-8801-9 2024

  21. [21]

    HALucinator: Firmware re-hosting through abstraction layer emulation,

    A. A. Clements, E. Gustafson, T. Scharnowski, P. Grosen, D. Fritz, C. Kruegel, G. Vigna, S. Bagchi, and M. Payer, “HALucinator: Firmware re-hosting through abstraction layer emulation,” inProceedings of the 29th USENIX Security Symposium (USENIX Security ’20). Boston, MA, USA: USENIX Association, Aug. 2020, pp. 1201–1218. [Online]. Available: https: //www...

    2020

  22. [22]

    Bringing balance to the force: Dynamic analysis of the android application framework,

    A. Dawoud and S. Bugiel, “Bringing balance to the force: Dynamic analysis of the android application framework,” in Proceedings of the 28th USENIX Security Symposium (USENIX Security 19). Vancouver, BC, Canada: USENIX Association, Feb. 2021. [Online]. Available: https://www.ndss-symposium.org/ wp-content/uploads/ndss2021 2B-1 23106 paper.pdf

    2021

  23. [23]

    Emulation versus instrumentation for android malware detection,

    A. Sinha, F. Di Troia, P. Heller, and M. Stamp, “Emulation versus instrumentation for android malware detection,” inDigital Forensic Investigation of Internet of Things (IoT) Devices. Springer, 2020, pp. 1–20

    2020

  24. [24]

    Appjitsu: Investigating the resiliency of android applications,

    O. Zungur, A. Bianchi, G. Stringhini, and M. Egele, “Appjitsu: Investigating the resiliency of android applications,” in2021 IEEE European Symposium on Security and Privacy (EuroS&P), 2021, pp. 457–471. [Online]. Available: https://seclab.bu.edu/papers/appjitsu-eurosp2021.pdf

    2021

  25. [25]

    Apex file format,

    Android Open Source Project, “Apex file format,” https://source. android.com/docs/core/ota/apex, 2023, accessed: 2025-09-17. [Online]. Available: https://source.android.com/docs/core/ota/apex

    2023

  26. [26]

    Wohlin, P

    C. Wohlin, P. Runeson, M. H ¨ost, M. C. Ohlsson, B. Regnell, A. Wessl´en et al.,Experimentation in software engineering. Springer, 2012, vol. 236

    2012

  27. [27]

    Firmdiff: Improving the configuration of linux kernels geared towards firmware re- hosting,

    I. Angelakopoulos, G. Stringhini, and M. Egele, “Firmdiff: Improving the configuration of linux kernels geared towards firmware re- hosting,” inProceedings of the Workshop on Binary Analysis Research (BAR’24), N. P. Committee, Ed. San Diego, CA, USA: Internet Society, Mar. 2024, pp. 1–10. [Online]. Available: https: //www.ndss-symposium.org/wp-content/upl...

    2024

  28. [28]

    Surgeon: Performant, flexible, and accurate re-hosting via transplantation,

    F. Hofhammer, M. Busch, Q. Wang, M. Egele, and M. Payer, “Surgeon: Performant, flexible, and accurate re-hosting via transplantation,” in Proceedings of the Workshop on Binary Analysis Research (BAR’24). Reston, V A, USA: Internet Society, Mar. 2024, pp. 1–10. [Online]. Available: https://www.ndss-symposium.org/ndss-paper/auto-draft-430/

    2024

  29. [29]

    Challenges in firmware re-hosting, emulation, and analysis,

    C. Wright, W. A. Moeglein, S. Bagchi, M. Kulkarni, and A. A. Clements, “Challenges in firmware re-hosting, emulation, and analysis,” ACM Comput. Surv., vol. 54, no. 1, jan 2021. [Online]. Available: https://doi.org/10.1145/3423167

    work page doi:10.1145/3423167 2021

  30. [30]

    Toward the analysis of embedded firmware through automated re-hosting,

    E. Gustafson, M. Muench, C. Spensky, N. Redini, A. Machiry, Y . Fratantonio, D. Balzarotti, A. Francillon, Y . R. Choe, C. Kruegel, and G. Vigna, “Toward the analysis of embedded firmware through automated re-hosting,” in22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). Chaoyang District, Beijing: USENIX Association...

    2019

  31. [31]

    Angr: The next generation of binary analysis,

    F. Wang and Y . Shoshitaishvili, “Angr: The next generation of binary analysis,” inProceedings of the 2017 IEEE Cybersecurity Development Conference (SecDev). San Francisco, CA, USA: IEEE, 2017, pp. 8–9. [Online]. Available: https://doi.org/10.1109/SecDev.2017.14

    work page doi:10.1109/secdev.2017.14 2017