Making Android Apps Data-Leak-Safe by Data Flow Analysis and Code Injection

Some support is needed in order to shun the possibility that sensitive data handled by applications are sent to improper destinations. Although apps running on Android OS declare the accessed services, once the user accepts, the application receives complete permissions and may use sensitive data improperly. Some tools have emerged to check data access and flow, however such tools are either based on static analysis or dynamic tracking. The former brings no overhead at run-time, but is less precise, the latter can bring a costly overhead during execution, having to monitor any access to sensitive data and all destinations. Our approach is innovative in that it takes advantage of static analysis and then monitors at run-time only data paths that potentially give sensitive data out. The correspondent tool is tailored to Android environment, tool-chain, libraries, and typical requirements that applications have to satisfy.

[1]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[2]  Andrew Warfield,et al.  Practical taint-based protection using demand emulation , 2006, EuroSys.

[3]  Giuseppe Pappalardo,et al.  Superimposing roles for design patterns into application classes by means of aspects , 2012, SAC '12.

[4]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[5]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[6]  Herbert Bos,et al.  Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation , 2006, EuroSys.

[7]  Fabio Ricciato,et al.  SecureDroid: An Android security framework extension for context-aware policy enforcement , 2013, 2013 International Conference on Privacy and Security in Mobile Systems (PRISMS).

[8]  Giuseppe Pappalardo,et al.  Combining static and dynamic data flow analysis: a hybrid approach for detecting data leaks in java applications , 2015, SAC.

[9]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[10]  Andy Podgurski,et al.  JavaPDG: A New Platform for Program Dependence Analysis , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation.

[11]  Giuseppe Pappalardo,et al.  Tackling consistency issues for runtime updating distributed systems , 2010, 2010 IEEE International Symposium on Parallel & Distributed Processing, Workshops and Phd Forum (IPDPSW).

[12]  Giuseppe Pappalardo,et al.  Aspects and Annotations for Controlling the Roles Application Classes Play for Design Patterns , 2011, 2011 18th Asia-Pacific Software Engineering Conference.

[13]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[14]  Julian Schütte,et al.  AppCaulk: Data Leak Prevention by Injecting Targeted Taint Tracking into Android Apps , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[15]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[16]  Patrick Cousot,et al.  Andromeda: Accurate and Scalable Security Analysis of Web Applications , 2013, FASE.

[17]  Yanick Fratantonio,et al.  Andrubis: Android Malware Under the Magnifying Glass , 2014 .

[18]  Michalis Faloutsos,et al.  ProfileDroid: multi-layer profiling of android applications , 2012, Mobicom '12.

[19]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[20]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1984, TOPL.

[21]  Marco Pistoia,et al.  Saving the world wide web from vulnerable JavaScript , 2011, ISSTA '11.