ABSTRACT
One approach to defending against malicious Android applications has been to analyze them to detect potential information leaks. This paper describes a new static taint analysis for Android that combines and augments the FlowDroid and Epicc analyses to precisely track both inter-component and intra-component data flow in a set of Android applications. The analysis takes place in two phases: given a set of applications, we first determine the data flows enabled individually by each application, and the conditions under which these are possible; we then build on these results to enumerate the potentially dangerous data flows enabled by the set of applications as a whole. This paper describes our analysis method, implementation, and experimental results.
- E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in Android. In Proc. MobiSys, 2011. Google ScholarDigital Library
- ECSPRIDE. DroidBench Benchmarks. Accessed 03-26-2014.Google Scholar
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. OSDI, 2010. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. D. McDaniel. Understanding Android Security. IEEE Security & Privacy, 7(1):50--57, 2009. Google ScholarDigital Library
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proc. CCS, 2011. Google ScholarDigital Library
- A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission Re-Delegation: Attacks and Defenses. In USENIX Security, 2011. Google ScholarDigital Library
- E. Fragkaki, L. Bauer, L. Jia, and D. Swasey. Modeling and enhancing Android's permission system. In Proc. ESORICS. 2012.Google ScholarCross Ref
- C. Fritz. FlowDroid: A Precise and Scalable Data Flow Analysis for Android. Master's thesis, TU Darmstadt, July 2013.Google Scholar
- C. Fritz, S. Arzt, S. Rasthofer, E. Bodden, A. Bartel, J. Klein, Y. le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proc. PLDI, 2014. To appear. Google ScholarDigital Library
- D. Hausknecht. Variability-aware Data-flow Analysis for Smartphone Applications. Master's thesis, TU Darmstadt, Sept. 2013.Google Scholar
- V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In Proc. USENIX Security, 2005. Google ScholarDigital Library
- L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting Android apps for component hijacking vulnerabilities. In CCS, 2012. Google ScholarDigital Library
- D. Octeau, S. Jha, and P. McDaniel. Retargeting Android applications to Java bytecode. In Proc. FSE, 2012. Google ScholarDigital Library
- D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. Le Traon. Effective inter-component communication mapping in Android with Epicc: An essential step towards holistic security analysis. In Proc. USENIX Security, 2013. Google ScholarDigital Library
- S. Rasthofer, S. Arzt, and E. Bodden. A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks. In Proc. NDSS, 2014.Google ScholarCross Ref
- R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan. Soot - A Java bytecode optimization framework. In Proc. CASCON, 1999. Google ScholarDigital Library
Index Terms
- Android taint flow analysis for app sets
Recommendations
Practical Precise Taint-flow Static Analysis for Android App Sets
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and SecurityColluding apps, or a combination of a malicious app and leaky app, can use intents (messages sent to Android app components) to exfiltrate sensitive or private information from an Android phone. This paper describes a novel static analysis method "...
Scalable and precise taint analysis for Android
ISSTA 2015: Proceedings of the 2015 International Symposium on Software Testing and AnalysisWe propose a type-based taint analysis for Android. Concretely, we present DFlow, a context-sensitive information flow type system, and DroidInfer, the corresponding type inference analysis for detecting privacy leaks in Android apps. We present novel ...
Comments