Is it possible that using the jazzer fuzz the Android thiry party

[william31212]

Hi, is it possible using the jazzer fuzz android third party. For instance, glide is android image parser third party. However, I am not sure that the bottom layer is different (dalvik vm, jvm) will make jazzer cannot fuzz it.

[fmeum]

I don't have a good answer to this at this point in time since I am not very familiar with the foundations of Java on Android. I'm planning to improve on that state in the upcoming weeks and will post an update if I have one.

[william31212]

@TheCoryBarker I am still interested in fuzzing Android. Is your PR mention on the Android's SDK or other target?

[TheCoryBarker]

Here is my PR:
#587

after this I need to update Jazzer to instrument offline. I'm starting the offline instrumentation next week, and I expect it will be fairly quick so I should have a PR out for it by next Friday. I'll send you an update once this is done.

[ghost]

Hi @william31212 and @TheCoryBarker !
I know this was over a year a go, but how did it turn out? Did the pull request get accepted?
Happy to explore this in more detail with each of you.
We can also take this "offline" over email. I am david.merian[at]code-intelligence[dot]com

Cheers,
Dave

[TheCoryBarker]

It's very difficult to use at this stage without a lot of knowledge on how APKs are build. I'm working on another PR that will make fuzzing your Android apps easy. I'll send you an email when it's ready David and then we can circle back and update here

[bay0max]

It's very difficult to use at this stage without a lot of knowledge on how APKs are build. I'm working on another PR that will make fuzzing your Android apps easy. I'll send you an email when it's ready David and then we can circle back and update here

Hi, is there any progress,Did the pull request get accepted?

[TheCoryBarker]

It was coming along, but ultimately we stopped working on fuzzing Java for Android. It was hard to see the value in completing it, since: 1: Static analysis (like CodeQL) is much easier for Java. It already works, you don't have to worry about code coverage, and it comes with a lot of out of the box queries to find vulnerabilities. 2: There are no Android specific sanitizers in Jazzer, so even after adding it to the build system we still need to write all new sanitizers. Since it was a project with questionable impact for Android (delta between what exists already and what exists already + Java fuzzing), it ended up getting stopped.

…

On Fri, Feb 7, 2025 at 11:52 PM haoxiantong ***@***.***> wrote: It's very difficult to use at this stage without a lot of knowledge on how APKs are build. I'm working on another PR that will make fuzzing your Android apps easy. I'll send you an email when it's ready David and then we can circle back and update here Hi, is there any progress,Did the pull request get accepted? — Reply to this email directly, view it on GitHub <#413 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AU5LJ74LHLHOUV3D4JIQ2I32OWZSXAVCNFSM6AAAAABWXNW5XKVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMJQGE2DGMA> . You are receiving this because you were mentioned.Message ID: <CodeIntelligenceTesting/jazzer/repo-discussions/413/comments/12101430@ github.com>