Skip to main content
Springer Nature Link
Log in

Static Analysis for Security Vetting of Android Apps

  • Chapter
  • First Online:
From Database to Cyber Security

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11170))

  • 2106 Accesses

Abstract

In recent years, Android has become the most popular operating system worldwide for mobile devies, including smartphones and tablets. Unfortunately, the huge success of Android also attracted hackers to develop malicious apps or to exploit vulnerable apps (developed by others) for fun and profit. To guard against malicious apps and vulnerable apps, app vetting is important. Static analysis is a promising vetting technique as it investigates the entire codebase of the app, and it is hard to evade.

In this article, we present the basic theory of static analysis (as applied to Android apps) for the beginners (who have recently started exploring this exciting yet challenging field) in a lucid language. Using short example apps, we explain how static analysis algorithms can achieve security vetting. For instance, we illustrate how tracking data flows and data dependency paths in an app can help us detect a private information leakage issue. We also review the state-of-the-art static analysis tools for security vetting of Android apps. We particularly study FlowDroid and Amandroid as the representatives of the state-of-the-art. Furthermore, we remind the reader about the limitations of static analysis.

This work was partially supported by the U.S. National Science Foundation under grant no. 1718214. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the above agency.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

eBook
USD 12.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The entire source code of the app is available at https://github.com/AppAnalysis-BGSU/Applications.

  2. 2.

    L1 is shown as #1 in Listing 1.1. In this article, to refer to Line j we interchangeably use #j, Lj, or just j.

  3. 3.

    The entire source code of the apps is available at https://github.com/AppAnalysis-BGSU/Applications.

References

  1. Malware displaying porn ads discovered in game apps on Google Play. https://blog.checkpoint.com/2018/01/

  2. Market Share: Devices, all countries, 4Q14 update. http://www.gartner.com/newsroom/id/2996817

  3. Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: mining API-level features for robust malware detection in android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) SecureComm 2013. LNICST, vol. 127, pp. 86–103. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-04283-1_6

    Chapter  Google Scholar 

  4. Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In: Proceedings of the ACM PLDI (2014)

    Google Scholar 

  5. G-Bouncer (2012). http://googlemobile.blogspot.com/2012/02/android-and-security.html

  6. Chen, S., Xue, M., Tang, Z., Xu, L., Zhu, H.: StormDroid: a streaminglized machine learning-based system for detecting android malware. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2016, pp. 377–388 (2016)

    Google Scholar 

  7. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proceedings of the ACM Mobisys (2011)

    Google Scholar 

  8. Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the USENIX OSDI (2010)

    Google Scholar 

  9. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why Eve and Mallory love android: an analysis of android SSL (in) security. In: Proceedings of the ACM CCS (2012)

    Google Scholar 

  10. Gordon, M.I., Kim, D., Perkins, J.H., Gilham, L., Nguyen, N., Rinard, M.C.: Information flow analysis of android applications in DroidSafe. In: NDSS. Citeseer (2015)

    Google Scholar 

  11. Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.R.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (2012)

    Google Scholar 

  12. Hassanshahi, B., Yap, R.H.: Android database attacks revisited. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2017, pp. 625–639 (2017)

    Google Scholar 

  13. Jing, Y., Ahn, G.J., Doupé, A., Yi, J.H.: Checking intent-based communication in android with intent space analysis. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2016, pp. 735–746 (2016)

    Google Scholar 

  14. Lhoták, O., Hendren, L.: Scaling Java points-to analysis using Spark. In: Hedin, G. (ed.) CC 2003. LNCS, vol. 2622, pp. 153–169. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36579-6_12

    Chapter  Google Scholar 

  15. Li, L., et al.: IccTA: detecting inter-component privacy leaks in android apps. In: Proceedings of the 37th International Conference on Software Engineering (ICSE 2015) (2015)

    Google Scholar 

  16. Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: CHEX: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the ACM CCS (2012)

    Google Scholar 

  17. Mirzaei, O., Suarez-Tangil, G., Tapiador, J., de Fuentes, J.M.: TriFlow: triaging android applications using speculative information flows. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2017, pp. 640–651 (2017)

    Google Scholar 

  18. Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Heidelberg (1999). https://doi.org/10.1007/978-3-662-03811-6

    Book  MATH  Google Scholar 

  19. Octeau, D., Luchaup, D., Dering, M., Jha, S., McDaniel, P.: Composite constant propagation: application to android inter-component communication analysis. In: Proceedings of the 37th International Conference on Software Engineering (ICSE) (2015)

    Google Scholar 

  20. Octeau, D., et al.: Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis. In: Proceedings of the USENIX Security Symposium (2013)

    Google Scholar 

  21. Onwuzurike, L., Mariconti, E., Andriotis, P., De Cristofaro, E., Ross, G., Stringhini, G.: MamaDroid: detecting android malware by building Markov chains of behavioral models (extended version) (2017)

    Google Scholar 

  22. Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: Proceedings of the ACM Symposium on Principles of Programming Languages (1995)

    Google Scholar 

  23. Sun, M., Wei, T., Lui, J.C.: Taintart: a practical multi-level information-flow tracking system for android runtime. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 331–342 (2016)

    Google Scholar 

  24. Symantec: Internet Security Threat Report. https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf, April 2015

  25. Taylor, V.F., Martinovic, I.: To update or not to update: insights from a two-year study of android app evolution. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2017, pp. 45–57 (2017)

    Google Scholar 

  26. TrendMicro: Trendlabssm 1Q 2014 Security Roundup (2014). http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-cybercrime-hits-the-unexpected.pdf

  27. Vallée-Rai, R., Gagnon, E., Hendren, L., Lam, P., Pominville, P., Sundaresan, V.: Optimizing Java Bytecode Using the Soot Framework: Is It Feasible? In: Watt, D.A. (ed.) CC 2000. LNCS, vol. 1781, pp. 18–34. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-46423-9_2

    Chapter  Google Scholar 

  28. WALA: WALA documentation: CallGraph (2014)

    Google Scholar 

  29. Wang, K., Zhang, Y., Liu, P.: Call me back!: attacks on system server and system apps in android through synchronous callback. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 92–103 (2016)

    Google Scholar 

  30. Wei, F., Roy, S., Ou, X., Robby: AmanDroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329–1341. ACM, Scottsdale (2014)

    Google Scholar 

  31. Wei, F., Roy, S., Ou, X., Robby: AmanDroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. ACM Trans. Priv. Secur. 21(3), 14:1–14:32 (2018)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Bowling Green State University, Bowling Green, OH, 43403, USA

    Sankardas Roy, Dewan Chaulagain & Shiva Bhusal

Authors
  1. Sankardas Roy
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dewan Chaulagain
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shiva Bhusal
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sankardas Roy .

Editor information

Editors and Affiliations

  1. Università degli Studi di Milano, Milano, Italy

    Pierangela Samarati

  2. Colorado State University, Fort Collins, CO, USA

    Indrajit Ray

  3. Colorado State University, Fort Collins, CO, USA

    Indrakshi Ray

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Roy, S., Chaulagain, D., Bhusal, S. (2018). Static Analysis for Security Vetting of Android Apps. In: Samarati, P., Ray, I., Ray, I. (eds) From Database to Cyber Security. Lecture Notes in Computer Science(), vol 11170. Springer, Cham. https://doi.org/10.1007/978-3-030-04834-1_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-04834-1_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-04833-4

  • Online ISBN: 978-3-030-04834-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics