Mind the GAPS: Bridging the GAPS between Targeted Dynamic Analysis and Static Path Reconstruction in Android Apps

Dynamically executing specific target methods in Android applications remains a critical and unresolved challenge. Despite notable advancements in GUI testing, current tools are insufficient for reliably driving execution toward specific target methods. To address this challenge, we present GAPS (Graph-based Automated Path Synthesizer), the first system that leverages static, method-guided call graph reconstruction to guide the dynamic, interaction-driven execution of an Android app. GAPS performs a lightweight backward traversal of the call graph, guided by data-flow analysis, to reconstruct paths reaching the target methods. These paths are then translated into instructions that guide runtime app exploration. On the AndroTest benchmark, GAPS statically identifies paths towards 88.24% of the target methods, averaging just 4.27 seconds per app, and reaching 57.44% of them through dynamic analysis. This performance exceeds the state-of-the-art tools' one: the model-based GUI tester APE reaches only 12.82%, the hybrid tool GoalExplorer reaches 9.69%, and the LLM-based Guardian reaches 17.12%. Finally, we applied GAPS to the 50 most downloaded apps from the Google Play Store, achieving an average static analysis time of 278.9 seconds to reconstruct paths towards 62.03% of the target methods and reaching 59.86% of them through dynamic analysis.