Privacy Analysis of Android Apps: Implicit Flows and Quantitative Analysis

A static analysis is presented, based on the theory of abstract interpretation, for verifying privacy policy compliance by mobile applications. This includes instances where, for example, the application releases the user’s location or device ID without authorization. It properly extends previous work on datacentric semantics for verification of privacy policy compliance by mobile applications by (i) tracking implicit information flow, and (ii) performing a quantitative analysis of information leakage. This yields to a novel combination of qualitative and quantitative analyses of information flows in mobile applications.

[1]  Agostino Cortesi,et al.  Datacentric Semantics for Verification of Privacy Policy Compliance by Mobile Applications , 2015, VMCAI.

[2]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[3]  Nick Benton,et al.  BABEL 2001 - Preface , 2001, Electron. Notes Theor. Comput. Sci..

[4]  Stephen McCamant,et al.  A simulation-based proof technique for dynamic information flow , 2007, PLAS '07.

[5]  Pietro Ferrara,et al.  Hybrid security analysis of web JavaScript code via dynamic partial evaluation , 2014, ISSTA 2014.

[6]  Keqin Li,et al.  Implicit flows in malicious and nonmalicious code , 2010, Logics and Languages for Reliability and Security.

[7]  Jacques Klein,et al.  Highly precise taint analysis for Android applications , 2013 .

[8]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[9]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[10]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[11]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[12]  David Clark,et al.  Quantified Interference for a While Language , 2005, QAPL.

[13]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[14]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[15]  D ErnstMichael,et al.  Quantitative information flow as network flow capacity , 2008 .

[16]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[17]  Agostino Cortesi,et al.  Widening and narrowing operators for abstract interpretation , 2011, Comput. Lang. Syst. Struct..

[18]  Eric Bodden,et al.  DroidForce: Enforcing Complex, Data-centric, System-wide Policies in Android , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[19]  Geoffrey Smith,et al.  Principles of Secure Information Flow Analysis , 2007, Malware Detection.

[20]  Josef Kittler,et al.  Computer Information Systems and Industrial Management , 2015, Lecture Notes in Computer Science.

[21]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[22]  Julia Rubin,et al.  A Bayesian Approach to Privacy Enforcement in Smartphones , 2014, USENIX Security Symposium.

[23]  Stephen McCamant,et al.  Quantitative information flow as network flow capacity , 2008, PLDI '08.

[24]  Shay Artzi,et al.  F4F: taint analysis of framework-based web applications , 2011, OOPSLA '11.

[25]  Deepak D'Souza,et al.  Verification, Model Checking, and Abstract Interpretation , 2015, Lecture Notes in Computer Science.

[26]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.