FLOWDROID: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps

ACM SIGPLAN Notices

Volumn 49, Issue 6, 2014, Pages 259-269

  Arzt, Steven ^a   Rasthofer, Siegfried ^a   Fritz, Christian ^a   Bodden, Eric ^a   Bartel, Alexandre ^b   Klein, Jacques ^b   Le Traon, Yves ^b   Octeau, Damien ^c   McDaniel, Patrick ^c  

^a DARMSTADT UNIVERSITY OF TECHNOLOGY   (Germany)

^b UNIVERSITY OF LUXEMBOURG   (Luxembourg)

^c PENNSYLVANIA STATE UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ACCIDENTS; COMPUTER VIRUSES; ERRORS; LIFE CYCLE; SECURITY OF DATA; SMARTPHONES;

ANALYSIS APPROACH; ANDROID APPLICATIONS; COMMERCIAL TOOLS; CONFIDENTIAL DATA; HIGH-EFFICIENCY; NUMBER OF FALSE ALARMS; PRECISE MODELING; TEST APPLICATIONS;

ANDROID (OPERATING SYSTEM);

EID: 84907029013     PISSN: 15232867     EISSN: None     Source Type: Journal    
DOI: 10.1145/2594291.2594299     Document Type: Conference Paper

References (42)

1. Virus share, aug 2013. http://virusshare.com/.
2. IBM Rational AppScan, Apr. 2013. http://www-01.ibm.com/software/de/rational/appscan/.
3. Fortify 360 Source Code Analyzer (SCA), Apr. 2013. http://www8.hp.com/us/en/software-solutions/software.html?compURI=1214365#.UW6CVKuAtfQ.
4. A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus. Automatically securing permission-based software by reducing the attack surface: an application to android. In ASE 2012, pages 274-277, 2012.
5. A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus. Dexpler: converting android dalvik bytecode to jimple for static analysis with soot. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis, SOAP '12, pages 27-38, 2012.
6. L. Batyuk, M. Herpich, S. Camtepe, K. Raddatz, A.-D. Schmidt, and S. Albayrak. Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within android applications. In Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on, pages 66-72, 2011.
7. E. Bodden. Inter-procedural data-flow analysis with ifds/ide and soot. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis, SOAP '12, pages 3-8, 2012.
8. E. Bodden, A. Sewe, J. Sinschek, H. Oueslati, and M. Mezini. Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders. In ICSE '11: International Conference on Software Engineering, pages 241-250. ACM, May 2011.
9. I. D. Corporation. Worldwide quarterly mobile phone tracker 3q12, Nov. 2012. http://www.idc.com/tracker/showproductinfo.jsp?prod-id=37.
10. I. Dillig, T. Dillig, and A. Aiken. Precise reasoning for programs using containers. In Proceedings of the 38th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '11, pages 187-200, 2011.
11. W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In R. H. Arpaci-Dusseau and B. Chen, editors, OSDI, pages 393-407. USENIX Association, 2010.
12. A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, SPSM '11, pages 3-14, New York, NY, USA, 2011. ACM. . URL http://doi.acm.org/10.1145/2046614.2046618.
13. C. Fritz, S. Arzt, S. Rasthofer, E. Bodden, A. Bartel, J. Klein, Y. le Traon, D. Octeau, and P. McDaniel. Highly precise taint analysis for android applications. Technical Report TUD-CS-2013-0113, EC SPRIDE, May 2013. URL http://www.bodden.de/pubs/TUD-CS-2013-0113.pdf.
14. A. P. Fuchs, A. Chaudhuri, and J. S. Foster. Scandroid: Automated security certification of android applications.
15. C. Gibler, J. Crussell, J. Erickson, and H. Chen. Androidleaks: automatically detecting potential privacy leaks in android applications on a large scale. In Proceedings of the 5th international conference on Trust and Trustworthy Computing, TRUST'12, pages 291-307, 2012.
16. M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, WISEC '12, pages 101-112, New York, NY, USA, 2012. ACM. . URL http://doi.acm.org/10.1145/2185448.2185464.
17. G. Inc. Application fundamentals. 2013. URL http://developer.android.com/guide/components/fundamentals.html.
18. G. Kastrinis and Y. Smaragdakis. Efficient and effective handling of exceptions in java points-to analysis. In R. Jhala and K. D. Bosschere, editors, CC, volume 7791 of Lecture Notes in Computer Science, pages 41-60. Springer, 2013.
19. J. Kim, Y. Yoon, K. Yi, and J. Shin. ScanDal: Static analyzer for detecting privacy leaks in android applications. In H. Chen, L. Koved, and D. S. Wallach, editors, MoST 2012: Mobile Security Technologies 2012, Los Alamitos, CA, USA, May 2012. IEEE.
20. D. King, B. Hicks, M. Hicks, and T. Jaeger. Implicit flows: Can't live with 'em, can't live without 'em. In Proceedings of the 4th International Conference on Information Systems Security, ICISS '08, pages 56-70, Berlin, Heidelberg, 2008. Springer-Verlag. .
21. P. Lam, E. Bodden, O. Lhotak, and L. Hendren. The soot framework for java program analysis: a retrospective. In Cetus Users and Compiler Infastructure Workshop (CETUS 2011), Oktober 2011.
22. O. Lhoták and L. Hendren. Scaling java points-to analysis using spark. In G. Hedin, editor, Compiler Construction, volume 2622 of LNCS, pages 153-169. Springer Berlin Heidelberg, 2003. .
23. B. Livshits. Securibench micro, Mar. 2013. http://suif.stanford.edu/~livshits/work/securibench-micro/.
24. L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: statically vetting android apps for component hijacking vulnerabilities. In CCS 2012, pages 229-240, 2012.
25. C. Mann and A. Starostin. A framework for static detection of privacy leaks in android applications. In Proceedings of the 27th Annual ACM Symposium on Applied Computing, SAC '12, pages 1457-1462, 2012.
26. N. A. Naeem, O. Lhoták, and J. Rodriguez. Practical extensions to the ifds algorithm. In Compiler Construction 2010, pages 124-144, 2010.
27. D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. L. Traon. Effective inter-component communication mapping in android: An essential step towards holistic security analysis. In USENIX Security Symposium 2013, Aug. 2013.
28. Paladion. Insecurebank test app. http://www.paladion.net/downloadapp.html.
29. N. J. Percoco and S. Schulte. Adventures in bouncerland. Blackhat USA, 2012.
30. S. Rasthofer, S. Arzt, and E. Bodden. A machine-learning approach for classifying and categorizing android sources and sinks. In 2014 Network and Distributed System Security Symposium (NDSS), Feb. 2014. URL http://www.bodden.de/pubs/rab14classifying.pdf. To appear.
31. A. Reina, A. Fattori, and L. Cavallaro. A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In EUROSEC, Prague, Czech Republic, April 2013.
32. T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In POPL '95, pages 49-61, 1995.
33. A. Rountev, M. Sharp, and G. Xu. Ide dataflow analysis in the presence of large object-oriented libraries. In Compiler Construction, volume 4959 of LNCS, pages 53-68. Springer, 2008.
34. M. Sagiv, T. Reps, and S. Horwitz. Precise interprocedural dataflow analysis with applications to constant propagation. In TAPSOFT '95, pages 131-170, 1996.
35. G. Sarwar, O. Mehani, R. Boreli, and M. A. Kaafar. On the effectiveness of dynamic taint analysis for protecting against private information leaks on android-based devices, 2013.
36. M. Sridharan, S. Artzi, M. Pistoia, S. Guarnieri, O. Tripp, and R. Berg. F4F: taint analysis of framework-based web applications. In OOPSLA 2011, pages 1053-1068, 2011.
37. O. Tripp, M. Pistoia, P. Cousot, R. Cousot, and S. Guarnieri. Andromeda: Accurate and scalable security analysis of web applications. In FASE 2013, pages 210-225, 2013.
38. R. Xu, H. Saïdi, and R. Anderson. Aurasium: practical policy enforcement for android applications. In USENIX Security 2012, Security'12, pages 27-27, Berkeley, CA, USA, 2012. USENIX Association.
39. L. K. Yan and H. Yin. Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In USENIX Security 2012, Security'12, pages 29-29, Berkeley, CA, USA, 2012. USENIX Association.
40. Z. Yang and M. Yang. Leakminer: Detect information leakage on android with static taint analysis. In Software Engineering (WCSE), 2012 Third World Congress on, pages 101-104, 2012.
41. Z. Zhao and F. Osono. Trustdroid: Preventing the use of smartphones for information leaking in corporate networks through the used of static analysis taint tracking. In Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on, pages 135-143, 2012.
42. Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP '12, pages 95-109, 2012.