View on GitHub


System using the Analysis Query Language

Download this project as a .zip file Download this project as a tar.gz file

Maven Central


The Android App Analysis Query Language (AQL) consists of two main parts, namely AQL-Queries and AQL-Answers. AQL-Queries enable us to ask for Android specific analysis subjects in a general, tool independent way. The grammar defining AQL-Queries can be found here.

Example 1: AQL-Queries

The following exemplary query can be used to get all Flows (e.g. taint flows) inside one app:

Flows IN App(’/path/to/example.apk’) ?

it is also possible to ask more specifically (or to filter the result):

Flows FROM 

Different operators are available to merge and further filter queries as well as methods to match intents and intent-filters.
More information about AQL-Queries can be found here.

Similarly, AQL-Answers are used to represent analysis results in a standardized form.
The syntax of AQL-Answers is defined via an XML schema definition (XSD).

Example 2: AQL-Answers

An AQL-Answer to the query from above could be (shortened):

			<reference type="from">
				<statement>... getDeviceId() ...</statement>
				<method>... onCreate(...) ...</method>
				<classname>... MainActivity</classname>
			<reference type="to">

It shows a taint flow from a getDeviceId() statement to a sendTextMessage(...) statement.


The associated AQL-System takes AQL-Queries as input and outputs AQL-Answers.
To do so, it requires a configuration in form of an .xml file that describes

Example 3

For instance, an AQL-System can be configured to execute FlowDroid in case of intra-app flow questions and IccTA in case of inter-app questions, since FlowDroid does not support such questions. Considering the example from above the AQL-System recognizes that FlowDroid is available and able to answer the query regarding flows inside one app only. Consequently, FlowDroid is launched and its result is converted into an AQL-Answer.


Our wiki contains tutorials how to use/extend the AQL-System: here


One tutorial deals with a simple run-through. It guides the user how to install, configure and execute an AQL-System, which is setup to use Amandroid.


The AQL-System or only its internal datastructure (AQL-Lib) can be used by or in other tools. We offer to options for integration:


Building from source code



The AQL-System is licensed under the GNU General Public License v3 (see LICENSE).


Felix Pauck
Paderborn University