nach oben

International Journal of Information Security

Erschienen in:

01.10.2019 | Regular Contribution

DroidRista: a highly precise static data flow analysis framework for android applications

verfasst von: Areej Alzaidi, Suhair Alshehri, Seyed M. Buhari

Erschienen in: International Journal of Information Security | Ausgabe 5/2020

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The Android operating system dominates the smartphone market. Thus, to service the market, the number of Android applications has risen dramatically. These applications are processing a great amount of sensitive data, which could result in various concerns including data leakage and privacy violations. For example, applications may misuse the sensitive data stored on Android devices and violate the privacy of the user. Therefore, it is essential to maintain user privacy and protect sensitive data from leakage. Static data flow analysis approaches are used for analyzing Android applications to uncover security and privacy issues. However, these approaches frequently generate false alarms, given the different challenges created by Android applications, such as inter-component communication (ICC), reflection, and implicit flow. This work presents the DroidRista approach for conducting static data flow analysis on Android applications to detect sensitive data leakage. DroidRista analyzes ICC, reflection, and implicit flow in Android applications. To evaluate the performance of DroidRista, it was tested on three data sets. The results demonstrate improved performance in terms of detecting data leakage compared to existing static data flow analysis approaches.

Vorheriger Artikel Digital Waste Disposal: an automated framework for analysis of spam emails

Nächster Artikel Random dictatorship for privacy-preserving social choice

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

https://scholar.google.com/.

https://github.com/arguslab/Argus-SAF.

https://github.com/MIT-PAC/droidsafe-src.

https://www.play.google.com/store/.

Corporation, I.D.: Smartphone market share (2019). https://www.idc.com/promo/smartphone-market-share. Accessed 24 Apr 2019

Statista: number of available applications in the google play store from December 2009 to March 2019 (2019). https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/. Accessed 24 Apr 2019

Blog, G.D.S.: Cyber attacks on android devices on the rise (2018). https://www.gdatasoftware.com/blog/2018/11/31255-cyber-attacks-on-android-devices-on-the-rise. Accessed 29 Apr 2019

Li, L., Bartel, A., Bissyandé, T., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: IccTA: detecting inter-component privacy leaks in android apps. In: Proceedings of the 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, vol. 1, pp. 280–291. Florence (2015)

Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: CHEX: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS’12, pp. 229–240. ACM, Raleigh (2012)

Yang, Z., Yang, M.: Leakminer: detect information leakage on android with static taint analysis. In: Proceedings of the Third World Congress on Software Engineering, pp. 101–104 (2012). https://doi.org/10.1109/WCSE.2012.26

Gibler, C., Crussell, J., Erickson, J., Chen, H.: AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. In: Proceedings of the Trust and Trustworthy Computing, Berlin, Heidelberg, pp. 291–307 (2012)

Mann, C., Starostin, A.: A framework for static detection of privacy leaks in android applications. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing, SAC’12, pp. 1457–1462. ACM, New York (2012)

Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. SIGPLAN Not. 49, 259–269 (2014)CrossRef

10.

Li, L., Bissyande, T.F., Octeau, D., Klein, J.: DroidRA: taming reflection to support whole-program analysis of android apps. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, ISSTA’16, pp. 318–329. ACM, New York (2016)

11.

Kazdagli, M., Huang, L., Reddi, V., Tiwari, M.: Morpheus: benchmarking computational diversity in mobile malware. In: Proceedings of the Third Workshop on Hardware and Architectural Support for Security and Privacy, pp. 1–8. ACM, Wroclaw (2014)

12.

Lindorfer, M., Matthias, N., Lukas, W., Yanick, F., Veen, V., Christian, P.: ANDRUBIS—1,000,000 apps later: a view on current android malware behaviors. In: Proceedings of the third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, pp. 3–17. IEEE, Wroclaw (2014)

13.

Li, L.: Boosting static analysis of android apps through code instrumentation. In: Proceedings of the 38th International Conference on Software Engineering Companion, pp. 819–822. IEEE (2016)

14.

Wei, F., Roy, S., Ou, X., Robby: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS’14, pp. 1329–1341. ACM, New York (2014). https://doi.org/10.1145/2660267.2660357

15.

Octeau, D., Luchaup, D., Dering, M., Jha, S., McDaniel, P.: Composite constant propagation: application to android inter-component communication analysis. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, vol. 1, pp. 77–88 (2015)

16.

Lam, P., Bodden, E., Lhotak, O., Hendren, L.: The soot framework for java program analysis: a retrospective. In: Proceedings of the Cetus Users and Compiler Infrastructure Workshop, CETUS 2011 (2011)

17.

Bartel, A., Klein, J., Monperrus, M., Traon, Y.L.: Dexpler: converting Android Dalvik bytecode to Jimple for static analysis with Soot. In: Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis, SOAP ’12. ACM, New York (2012)

18.

Vallee-Rai, R., Hendren, L.J.: Jimple: simplifying Java bytecode for analyses and transformations. Technical Report, Sable Research Group, McGill University (1998)

19.

Paladion: InsecureBank test app. http://www.paladion.net/downloadapp.html/. Accessed 25 Dec 2018

20.

GitHub: secure-software-engineering/droidbench: a micro-benchmark suite to assess the stability of taint-analysis tools for android. https://github.com/secure-software-engineering/DroidBench/tree/develop. Accessed 08 Dec 2018

21.

Wei, F.: ICC-bench: benchmark apps for static analyzing inter-component data leakage problem of android apps. https://www.github.com/fgwei/ICC-Bench/. Accessed 08 Dec 2018

22.

Wei, F., Roy, S., Ou, X., Robby: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. Technical Report, Transactions on Privacy and Security, New York (2017). https://doi.org/10.1145/3183575

23.

Gordon, M., Deokhwan, K., Perkins, J., Gilham, L., Nguyen, N., Rinard, M.: Information-flow analysis of android applications in droidsafe. In: Proceedings of the Network and Distributed Systems Symposium, NDSS’15. San Diego, CA (2015). https://doi.org/10.14722/ndss.2015.23089

24.

Wei, F.: IccTA DroidBench branch. https://www.github.com/secure-software-engineering/DroidBench/tree/iccta/. Accessed 08 Dec 2018

25.

Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2014, pp. 576–587. ACM, New York (2014)

26.

Ravitch, T., Creswick, E.R., Tomb, A., Foltzer, A., Elliott, T., Casburn, L.: Multi-app security analysis with fuse: statically detecting android app collusion. In: Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW-4, pp. 4:1–4:10. ACM, New York (2014)

27.

Klieber, W., Flynn, L., Bhosale, A., Jia, L., Bauer, L.: Android taint flow analysis for app sets. In: Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, SOAP’14, pp. 1–6. ACM, New York (2014)

28.

Cui, X., Wang, J., Hui, L.C.K., Xie, Z., Zeng, T., Yiu, S.M.: Wechecker: efficient and precise detection of privilege escalation vulnerabilities in android apps. In: Proceedings of the 8th ACM Conference on Security, Privacy in Wireless and Mobile Networks, WiSec’15, pp. 25:1–25:12. ACM, New York (2015)

29.

Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In: Proceedings of the 22nd USENIX Conference on Security, SEC’13, pp. 543–558. USENIX Association, Berkeley (2013)

30.

Li, L., Bartel, A., Klein, J., Le Traon, Y.: Automatically exploiting potential component leaks in android applications. In: Proceedings of the 13th International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom’14, pp. 388–397. IEEE, Beijing (2014)

31.

Salvia, R., Ferrara, P., Spoto, F., Cortesi, A.: SDLI: static detection of leaks across intents. In: Proceedings of the 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom-18. IEEE, New York (2018)

32.

Titze, D., Schütte, J.: Apparecium: revealing data flows in android applications. In: Proceedings of the 29th International Conference on Advanced Information Networking and Applications, pp. 579–586 (2015). https://doi.org/10.1109/AINA.2015.239

33.

Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys ’11, pp. 239–252. ACM, New York (2011)

34.

Zhauniarovich, Y., Ahmad, M., Gadyatskaya, O., Crispo, B., Massacci, F.: StaDynA: addressing the problem of dynamic code updates in the security analysis of android applications. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY’15, pp. 37–48. ACM, New York (2015)

35.

Barros, P., Just, R., Millstein, S., Vines, P., Dietl, W., d’Amorim, M., Ernst, M.D.: Static analysis of implicit control flow: resolving Java reflection and android intents (t). In: Proceedings of the 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE), ASE’15, pp. 669–679. IEEE Computer Society, Washington (2015)

36.

Ernst, M.D., Just, R., Millstein, S., Dietl, W., Vines, P., Pernsteiner, S., Roesner, F., Koscher, K., Barros, P., Bhoraskar, R., Han, S., Wu, E.X.: Collaborative verification of information flow for a high-assurance app store. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS’14, pp. 1092–1104. ACM, New York (2014)

37.

Gajrani, J., Li, L., Laxmi, V., Tripathi, M., Gaur, M.S., Conti, M.: Poster: detection of information leaks via reflection in android apps. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS’17, pp. 911–913. ACM, New York (2017)

Titel: DroidRista: a highly precise static data flow analysis framework for android applications
verfasst von: Areej Alzaidi
Suhair Alshehri
Seyed M. Buhari
Publikationsdatum: 01.10.2019
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 5/2020
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-019-00471-w

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 5/2020

Random dictatorship for privacy-preserving social choice

Key pre-distribution approach using block LU decomposition in wireless sensor network

A novel graph-based approach for IoT botnet detection

Analysis of some simple stabilizers for physically obfuscated keys

Cyberattack triage using incremental clustering for intrusion detection systems

Digital Waste Disposal: an automated framework for analysis of spam emails