research-article

Android taint flow analysis for app sets

Authors:
William Klieber

CERT/SEI, Carnegie Mellon University

CERT/SEI, Carnegie Mellon University
View Profile

,
Lori Flynn

CERT/SEI, Carnegie Mellon University

CERT/SEI, Carnegie Mellon University
View Profile

,
Amar Bhosale

Carnegie Mellon University

Carnegie Mellon University
View Profile

,
Limin Jia

Carnegie Mellon University

Carnegie Mellon University
View Profile

,
Lujo Bauer

Carnegie Mellon University

Carnegie Mellon University
View Profile

SOAP '14: Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program AnalysisJune 2014Pages 1–6https://doi.org/10.1145/2614628.2614633

Published:12 June 2014Publication History

SOAP '14: Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis

Pages 1–6

ABSTRACT

One approach to defending against malicious Android applications has been to analyze them to detect potential information leaks. This paper describes a new static taint analysis for Android that combines and augments the FlowDroid and Epicc analyses to precisely track both inter-component and intra-component data flow in a set of Android applications. The analysis takes place in two phases: given a set of applications, we first determine the data flows enabled individually by each application, and the conditions under which these are possible; we then build on these results to enumerate the potentially dangerous data flows enabled by the set of applications as a whole. This paper describes our analysis method, implementation, and experimental results.

References

E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in Android. In Proc. MobiSys, 2011. Google ScholarDigital Library
ECSPRIDE. DroidBench Benchmarks. Accessed 03-26-2014.Google Scholar
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. OSDI, 2010. Google ScholarDigital Library
W. Enck, M. Ongtang, and P. D. McDaniel. Understanding Android Security. IEEE Security & Privacy, 7(1):50--57, 2009. Google ScholarDigital Library
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proc. CCS, 2011. Google ScholarDigital Library
A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission Re-Delegation: Attacks and Defenses. In USENIX Security, 2011. Google ScholarDigital Library
E. Fragkaki, L. Bauer, L. Jia, and D. Swasey. Modeling and enhancing Android's permission system. In Proc. ESORICS. 2012.Google ScholarCross Ref
C. Fritz. FlowDroid: A Precise and Scalable Data Flow Analysis for Android. Master's thesis, TU Darmstadt, July 2013.Google Scholar
C. Fritz, S. Arzt, S. Rasthofer, E. Bodden, A. Bartel, J. Klein, Y. le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proc. PLDI, 2014. To appear. Google ScholarDigital Library
D. Hausknecht. Variability-aware Data-flow Analysis for Smartphone Applications. Master's thesis, TU Darmstadt, Sept. 2013.Google Scholar
V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In Proc. USENIX Security, 2005. Google ScholarDigital Library
L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting Android apps for component hijacking vulnerabilities. In CCS, 2012. Google ScholarDigital Library
D. Octeau, S. Jha, and P. McDaniel. Retargeting Android applications to Java bytecode. In Proc. FSE, 2012. Google ScholarDigital Library
D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. Le Traon. Effective inter-component communication mapping in Android with Epicc: An essential step towards holistic security analysis. In Proc. USENIX Security, 2013. Google ScholarDigital Library
S. Rasthofer, S. Arzt, and E. Bodden. A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks. In Proc. NDSS, 2014.Google ScholarCross Ref
R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan. Soot - A Java bytecode optimization framework. In Proc. CASCON, 1999. Google ScholarDigital Library

Index Terms

Android taint flow analysis for app sets
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security
2. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning
      1. Program analysis
    2. Program semantics

Recommendations

Practical Precise Taint-flow Static Analysis for Android App Sets
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

Colluding apps, or a combination of a malicious app and leaky app, can use intents (messages sent to Android app components) to exfiltrate sensitive or private information from an Android phone. This paper describes a novel static analysis method "...
Read More
Scalable and precise taint analysis for Android
ISSTA 2015: Proceedings of the 2015 International Symposium on Software Testing and Analysis

We propose a type-based taint analysis for Android. Concretely, we present DFlow, a context-sensitive information flow type system, and DroidInfer, the corresponding type inference analysis for detecting privacy leaks in Android apps. We present novel ...
Read More
Learn Android App Development
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SOAP '14: Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis
June 2014
36 pages
ISBN:9781450329194
DOI:10.1145/2614628
Conference Chairs:
Steven Arzt
EC SPRIDE
,
Raul Santelices
University of Notre Dame
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 12 June 2014
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
Conference

Acceptance Rates
SOAP '14 Paper Acceptance Rate5of5submissions,100%Overall Acceptance Rate11of11submissions,100%
More
Upcoming Conference
PLDI '24

Sponsor:

sigplan

ACM SIGPLAN Conference on Programming Language Design and Implementation

June 24 - 28, 2024

Copenhagen , Denmark
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 154
  Total Citations
  View Citations
- 974
  Total Downloads
- Downloads (Last 12 months)39
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Android taint flow analysis for app sets

SOAP '14: Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis

ABSTRACT

References

Cited By

Index Terms

Recommendations

Practical Precise Taint-flow Static Analysis for Android App Sets

Scalable and precise taint analysis for Android

Learn Android App Development