skip to main content
10.1145/2771783.2771803acmconferencesArticle/Chapter ViewAbstractPublication PagesisstaConference Proceedingsconference-collections
research-article

Scalable and precise taint analysis for Android

Published: 13 July 2015 Publication History

Abstract

We propose a type-based taint analysis for Android. Concretely, we present DFlow, a context-sensitive information flow type system, and DroidInfer, the corresponding type inference analysis for detecting privacy leaks in Android apps. We present novel techniques for error reporting based on CFL-reachability, as well as novel techniques for handling of Android-specific features, including libraries, multiple entry points and callbacks, and inter-component communication. Empirical results show that our approach is scalable and precise. DroidInfer scales well in terms of time and memory and has false-positive rate of 15.7%. It detects privacy leaks in apps from the Google Play Store and in known malware.

References

[1]
S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise context-, flow-, field-, object-sensitive and lifecycle-aware taint analysis for android apps. In PLDI, to appear, 2014.
[2]
A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus. Dexpler: Converting Android Dalvik bytecode to Jimple for static analysis with Soot. In SOAP, pages 27–38, 2012.
[3]
W. Dietl and P. Müller. Universes: Lightweight ownership for JML. Journal of Object Technology, 4(8):5–32, 2005.
[4]
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. Mcdaniel, and A. N. Sheth. TaintDroid : An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, pages 1–6, 2010.
[5]
M. D. Ernst, R. Just, S. Millstein, W. M. Dietl, S. Pernsteiner, F. Roesner, K. Koscher, P. Barros, R. Bhoraskar, S. Han, P. Vines, and E. X. Wu. Collaborative verification of information flow for a high-assurance app store. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), Scottsdale, AZ, USA, November 4–6, 2014.
[6]
M. Fähndrich, J. Rehof, and M. Das. Scalable context-sensitive flow analysis using instantiation constraints. In ACM Conference on Programming Languages Design and Implementation, pages 253–263, 2000.
[7]
C. Fritz, S. Arzt, S. Rasthofer, E. Bodden, J. Klein, Y. le Traon, D. Octeau, and P. McDaniel. Highly precise taint analysis for Android application. Technical Report TUD-CS-2013-0113, EC SPRIDE, 2013.
[8]
A. P. Fuchs, A. Chaudhuri, and J. S. Foster. SCanDroid : Automated security certification of Android applications. unpublished.
[9]
C. Gibler, J. Crussell, J. Erickson, and H. Chen. AndroidLeaks: Automatically detecting potential privacy leaks in Android applications on a large scale. In TRUST, pages 273–290, 2012.
[10]
Google. Android and Security. http://googlemobile. blogspot.com/2012/02/android-and-security.html, 2012.
[11]
Google. Google Play Store. https://play.google.com, 2014.
[12]
HP. HP Fortify Static Code Analyzer. http://www8.hp.com/us/en/software-solutions/ application-security/, 2013.
[13]
W. Huang, W. Dietl, A. Milanova, and M. D. Ernst. Inference and checking of object ownership. In ECOOP, pages 181–206, 2012.
[14]
W. Huang, Y. Dong, and A. Milanova. Type-based Taint Analysis for Java Web Applications. Technical report, Rensselaer Polytechnic Institute, 2013.
[15]
W. Huang, Y. Dong, and A. Milanova. Type-based taint analysis for Java web applications. In FASE, pages 140–154, 2014.
[16]
W. Huang, Y. Dong, A. Milanova, and J. Dolby. Scalable and precise taint analysis for android. Technical report, Department of Computer Science, Rensselaer Polytechnic Institute.
[17]
W. Huang, A. Milanova, W. Dietl, and M. D. Ernst. ReIm & ReImInfer: Checking and inference of reference immutability and method purity. In OOPSLA, pages 879––896, 2012.
[18]
IBM. IBM Security AppScan. http: //www-03.ibm.com/software/products/en/appscan, 2013.
[19]
IDC. Smartphone OS Market Share, Q3 2014. http://www.idc.com/prodserv/ smartphone-os-market-share.jsp, 2014.
[20]
J. Kim, Y. Yoon, and K. Yi. SCANDAL: Static analyzer for detecting privacy leaks in Android applications. In MoST, 2012.
[21]
B. S. Lerner, M. Flower, D. Grossman, and C. Chambers. Searching for type-error messages. In Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’07, pages 425–434, New York, NY, USA, 2007. ACM.
[22]
S. Liang, A. W. Keep, M. Might, S. Lyde, T. Gilray, and P. Aldous. Sound and precise malware analysis for Android via pushdown reachability and entry-point saturation. In SPSM, pages 21–32, 2013.
[23]
S. Lortz, H. Mantel, A. Starostin, T. Bähr, D. Schneider, and A. Weber. Cassandra: Towards a Certifying App Store for Android. In Proceedings of the 4th ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, pages 93–104. ACM, 2014.
[24]
L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. CHEX: Statically vetting Android apps for component hijacking vulnerabilities. In CCS, pages 229–240, 2012.
[25]
Mila. contagio mobile. http://contagiominidump.blogspot.com, 2014.
[26]
A. Milanova and W. Huang. Composing polymorphic information flow systems with reference immutability. In FTfJP, pages 5:1–5:7, 2013.
[27]
A. Milanova, W. Huang, and Y. Dong. In ACM Conference on Programming and Practice of Programming in Java, pages 99–109, 2014.
[28]
A. C. Myers. JFlow: Practical mostly-static information flow control. In POPL, pages 228–241, 1999.
[29]
A. C. Myers, J. A. Bank, and B. Liskov. Parameterized types for Java. In POPL, pages 132–145, 1997.
[30]
D. Octeau, P. Mcdaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. L. Traon. Effective inter-component communication mapping in Android with Epicc: An essential step towards holistic security analysis. In USENIX Security, pages 543–558, 2013.
[31]
M. M. Papi, M. Ali, T. L. Correa Jr, J. H. Perkins, and M. D. Ernst. Practical pluggable types for Java. In ISSTA, pages 201–212, 2008.
[32]
A. Reina, A. Fattori, and L. Cavallaro. A system call-centric analysis and stimulation technique to automatically reconstruct Android malware behaviors. In EuroSec, 2013.
[33]
T. Reps. Program analysis via graph reachability. Information and Software Technology, 40:5–19, 1998.
[34]
T. Reps. Undecidability of context-sensitive data-independence analysis. ACM Transactions on Programming Languages and Systems, 22(1):162—-186, 2000.
[35]
A. Sampson, W. Dietl, and E. Fortuna. EnerJ: Approximate data types for safe and general low-power computation. In PLDI, pages 164–174, 2011.
[36]
U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In USENIX Security, pages 201–220, 2001.
[37]
R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan. Soot: A Java bytecode optimization framework. In CASCON, pages 13–23, 1999.
[38]
D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. Journal of Computer Security, pages 167–187, 1996.
[39]
M. Wand. Finding the source of type errors. In Proceedings of the 13th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL ’86, pages 38–43, New York, NY, USA, 1986. ACM.
[40]
R. Xu, H. Sa¨ıdi, R. Anderson, and H. Sa Äśdi. Aurasium: Practical policy enforcement for Android applications. In USENIX Security, pages 539–552, 2012.
[41]
L. Yan and H. Yin. Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In USENIX Security, pages 569–584, 2012.
[42]
Z. Yang and M. Yang. LeakMiner: Detect information leakage on Android with static taint analysis. 2012 Third World Congress on Software Engineering, pages

Cited By

View all
  • (2025)Program Analysis via Multiple Context Free Language ReachabilityProceedings of the ACM on Programming Languages10.1145/37048549:POPL(509-538)Online publication date: 9-Jan-2025
  • (2024)A Better Approximation for Interleaved Dyck ReachabilityProceedings of the 13th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis10.1145/3652588.3663318(18-25)Online publication date: 20-Jun-2024
  • (2024)Iterative-Epoch Online Cycle Elimination for Context-Free Language ReachabilityProceedings of the ACM on Programming Languages10.1145/36498628:OOPSLA1(1437-1462)Online publication date: 29-Apr-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ISSTA 2015: Proceedings of the 2015 International Symposium on Software Testing and Analysis
July 2015
447 pages
ISBN:9781450336208
DOI:10.1145/2771783
  • General Chair:
  • Michal Young,
  • Program Chair:
  • Tao Xie
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 July 2015

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Android
  2. CFL-reachability
  3. Taint analysis
  4. information flow

Qualifiers

  • Research-article

Funding Sources

Conference

ISSTA '15
Sponsor:

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)117
  • Downloads (Last 6 weeks)11
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Program Analysis via Multiple Context Free Language ReachabilityProceedings of the ACM on Programming Languages10.1145/37048549:POPL(509-538)Online publication date: 9-Jan-2025
  • (2024)A Better Approximation for Interleaved Dyck ReachabilityProceedings of the 13th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis10.1145/3652588.3663318(18-25)Online publication date: 20-Jun-2024
  • (2024)Iterative-Epoch Online Cycle Elimination for Context-Free Language ReachabilityProceedings of the ACM on Programming Languages10.1145/36498628:OOPSLA1(1437-1462)Online publication date: 29-Apr-2024
  • (2024)On-the-Fly Static Analysis via Dynamic Bidirected Dyck ReachabilityProceedings of the ACM on Programming Languages10.1145/36328848:POPL(1239-1268)Online publication date: 5-Jan-2024
  • (2024)LibAlchemy: A Two-Layer Persistent Summary Design for Taming Third-Party Libraries in Static Bug-Finding SystemsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639132(1-13)Online publication date: 20-May-2024
  • (2024)"False negative - that one is going to kill you": Understanding Industry Perspectives of Static Analysis based Security Testing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00019(3979-3997)Online publication date: 19-May-2024
  • (2023)ConfFix: Repairing Configuration Compatibility Issues in Android AppsProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598074(514-525)Online publication date: 12-Jul-2023
  • (2023)Context Sensitivity without Contexts: A Cut-Shortcut Approach to Fast and Precise Pointer AnalysisProceedings of the ACM on Programming Languages10.1145/35912427:PLDI(539-564)Online publication date: 6-Jun-2023
  • (2023)CFL/Dyck ReachabilityACM SIGLOG News10.1145/3583660.35836649:4(5-25)Online publication date: 6-Feb-2023
  • (2023)Single-Source-Single-Target Interleaved-Dyck Reachability via Integer Linear ProgrammingProceedings of the ACM on Programming Languages10.1145/35712287:POPL(1003-1026)Online publication date: 11-Jan-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media