Skip to main content
SpringerLink
Log in

DroidRista: a highly precise static data flow analysis framework for android applications

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The Android operating system dominates the smartphone market. Thus, to service the market, the number of Android applications has risen dramatically. These applications are processing a great amount of sensitive data, which could result in various concerns including data leakage and privacy violations. For example, applications may misuse the sensitive data stored on Android devices and violate the privacy of the user. Therefore, it is essential to maintain user privacy and protect sensitive data from leakage. Static data flow analysis approaches are used for analyzing Android applications to uncover security and privacy issues. However, these approaches frequently generate false alarms, given the different challenges created by Android applications, such as inter-component communication (ICC), reflection, and implicit flow. This work presents the DroidRista approach for conducting static data flow analysis on Android applications to detect sensitive data leakage. DroidRista analyzes ICC, reflection, and implicit flow in Android applications. To evaluate the performance of DroidRista, it was tested on three data sets. The results demonstrate improved performance in terms of detecting data leakage compared to existing static data flow analysis approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. https://scholar.google.com/.

  2. https://github.com/arguslab/Argus-SAF.

  3. https://github.com/MIT-PAC/droidsafe-src.

  4. https://www.play.google.com/store/.

References

  1. Corporation, I.D.: Smartphone market share (2019). https://www.idc.com/promo/smartphone-market-share. Accessed 24 Apr 2019

  2. Statista: number of available applications in the google play store from December 2009 to March 2019 (2019). https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/. Accessed 24 Apr 2019

  3. Blog, G.D.S.: Cyber attacks on android devices on the rise (2018). https://www.gdatasoftware.com/blog/2018/11/31255-cyber-attacks-on-android-devices-on-the-rise. Accessed 29 Apr 2019

  4. Li, L., Bartel, A., Bissyandé, T., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: IccTA: detecting inter-component privacy leaks in android apps. In: Proceedings of the 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, vol. 1, pp. 280–291. Florence (2015)

  5. Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: CHEX: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS’12, pp. 229–240. ACM, Raleigh (2012)

  6. Yang, Z., Yang, M.: Leakminer: detect information leakage on android with static taint analysis. In: Proceedings of the Third World Congress on Software Engineering, pp. 101–104 (2012). https://doi.org/10.1109/WCSE.2012.26

  7. Gibler, C., Crussell, J., Erickson, J., Chen, H.: AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. In: Proceedings of the Trust and Trustworthy Computing, Berlin, Heidelberg, pp. 291–307 (2012)

  8. Mann, C., Starostin, A.: A framework for static detection of privacy leaks in android applications. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing, SAC’12, pp. 1457–1462. ACM, New York (2012)

  9. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. SIGPLAN Not. 49, 259–269 (2014)

    Article  Google Scholar 

  10. Li, L., Bissyande, T.F., Octeau, D., Klein, J.: DroidRA: taming reflection to support whole-program analysis of android apps. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, ISSTA’16, pp. 318–329. ACM, New York (2016)

  11. Kazdagli, M., Huang, L., Reddi, V., Tiwari, M.: Morpheus: benchmarking computational diversity in mobile malware. In: Proceedings of the Third Workshop on Hardware and Architectural Support for Security and Privacy, pp. 1–8. ACM, Wroclaw (2014)

  12. Lindorfer, M., Matthias, N., Lukas, W., Yanick, F., Veen, V., Christian, P.: ANDRUBIS—1,000,000 apps later: a view on current android malware behaviors. In: Proceedings of the third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, pp. 3–17. IEEE, Wroclaw (2014)

  13. Li, L.: Boosting static analysis of android apps through code instrumentation. In: Proceedings of the 38th International Conference on Software Engineering Companion, pp. 819–822. IEEE (2016)

  14. Wei, F., Roy, S., Ou, X., Robby: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS’14, pp. 1329–1341. ACM, New York (2014). https://doi.org/10.1145/2660267.2660357

  15. Octeau, D., Luchaup, D., Dering, M., Jha, S., McDaniel, P.: Composite constant propagation: application to android inter-component communication analysis. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, vol. 1, pp. 77–88 (2015)

  16. Lam, P., Bodden, E., Lhotak, O., Hendren, L.: The soot framework for java program analysis: a retrospective. In: Proceedings of the Cetus Users and Compiler Infrastructure Workshop, CETUS 2011 (2011)

  17. Bartel, A., Klein, J., Monperrus, M., Traon, Y.L.: Dexpler: converting Android Dalvik bytecode to Jimple for static analysis with Soot. In: Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis, SOAP ’12. ACM, New York (2012)

  18. Vallee-Rai, R., Hendren, L.J.: Jimple: simplifying Java bytecode for analyses and transformations. Technical Report, Sable Research Group, McGill University (1998)

  19. Paladion: InsecureBank test app. http://www.paladion.net/downloadapp.html/. Accessed 25 Dec 2018

  20. GitHub: secure-software-engineering/droidbench: a micro-benchmark suite to assess the stability of taint-analysis tools for android. https://github.com/secure-software-engineering/DroidBench/tree/develop. Accessed 08 Dec 2018

  21. Wei, F.: ICC-bench: benchmark apps for static analyzing inter-component data leakage problem of android apps. https://www.github.com/fgwei/ICC-Bench/. Accessed 08 Dec 2018

  22. Wei, F., Roy, S., Ou, X., Robby: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. Technical Report, Transactions on Privacy and Security, New York (2017). https://doi.org/10.1145/3183575

  23. Gordon, M., Deokhwan, K., Perkins, J., Gilham, L., Nguyen, N., Rinard, M.: Information-flow analysis of android applications in droidsafe. In: Proceedings of the Network and Distributed Systems Symposium, NDSS’15. San Diego, CA (2015). https://doi.org/10.14722/ndss.2015.23089

  24. Wei, F.: IccTA DroidBench branch. https://www.github.com/secure-software-engineering/DroidBench/tree/iccta/. Accessed 08 Dec 2018

  25. Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2014, pp. 576–587. ACM, New York (2014)

  26. Ravitch, T., Creswick, E.R., Tomb, A., Foltzer, A., Elliott, T., Casburn, L.: Multi-app security analysis with fuse: statically detecting android app collusion. In: Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW-4, pp. 4:1–4:10. ACM, New York (2014)

  27. Klieber, W., Flynn, L., Bhosale, A., Jia, L., Bauer, L.: Android taint flow analysis for app sets. In: Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, SOAP’14, pp. 1–6. ACM, New York (2014)

  28. Cui, X., Wang, J., Hui, L.C.K., Xie, Z., Zeng, T., Yiu, S.M.: Wechecker: efficient and precise detection of privilege escalation vulnerabilities in android apps. In: Proceedings of the 8th ACM Conference on Security, Privacy in Wireless and Mobile Networks, WiSec’15, pp. 25:1–25:12. ACM, New York (2015)

  29. Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In: Proceedings of the 22nd USENIX Conference on Security, SEC’13, pp. 543–558. USENIX Association, Berkeley (2013)

  30. Li, L., Bartel, A., Klein, J., Le Traon, Y.: Automatically exploiting potential component leaks in android applications. In: Proceedings of the 13th International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom’14, pp. 388–397. IEEE, Beijing (2014)

  31. Salvia, R., Ferrara, P., Spoto, F., Cortesi, A.: SDLI: static detection of leaks across intents. In: Proceedings of the 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom-18. IEEE, New York (2018)

  32. Titze, D., Schütte, J.: Apparecium: revealing data flows in android applications. In: Proceedings of the 29th International Conference on Advanced Information Networking and Applications, pp. 579–586 (2015). https://doi.org/10.1109/AINA.2015.239

  33. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys ’11, pp. 239–252. ACM, New York (2011)

  34. Zhauniarovich, Y., Ahmad, M., Gadyatskaya, O., Crispo, B., Massacci, F.: StaDynA: addressing the problem of dynamic code updates in the security analysis of android applications. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY’15, pp. 37–48. ACM, New York (2015)

  35. Barros, P., Just, R., Millstein, S., Vines, P., Dietl, W., d’Amorim, M., Ernst, M.D.: Static analysis of implicit control flow: resolving Java reflection and android intents (t). In: Proceedings of the 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE), ASE’15, pp. 669–679. IEEE Computer Society, Washington (2015)

  36. Ernst, M.D., Just, R., Millstein, S., Dietl, W., Vines, P., Pernsteiner, S., Roesner, F., Koscher, K., Barros, P., Bhoraskar, R., Han, S., Wu, E.X.: Collaborative verification of information flow for a high-assurance app store. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS’14, pp. 1092–1104. ACM, New York (2014)

  37. Gajrani, J., Li, L., Laxmi, V., Tripathi, M., Gaur, M.S., Conti, M.: Poster: detection of information leaks via reflection in android apps. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS’17, pp. 911–913. ACM, New York (2017)

Download references

Funding

This study was not funded.

Author information

Authors and Affiliations

  1. Programming Department, Technical College of Girls in Taif, Technical and Vocational Training Corporation, Taif, Saudi Arabia

    Areej Alzaidi

  2. Information Technology Department, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah, Saudi Arabia

    Suhair Alshehri & Seyed M. Buhari

Authors
  1. Areej Alzaidi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Suhair Alshehri
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Seyed M. Buhari
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Suhair Alshehri.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Human and animal rights statement

This article does not contain reference to any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alzaidi, A., Alshehri, S. & Buhari, S.M. DroidRista: a highly precise static data flow analysis framework for android applications. Int. J. Inf. Secur. 19, 523–536 (2020). https://doi.org/10.1007/s10207-019-00471-w

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-019-00471-w

Keywords

Search

Navigation