DAPA: Degradation-Aware Privacy Analysis of Android Apps

When installing or executing an app on a smartphone, we grant it access to part of our (possibly confidential) data stored in the device. Traditional information-flow analyses aim to detect whether such information is leaked by the app to the external (untrusted) environment. The static analyser we present in this paper goes one step further. Its aim is to trace not only if information is possibly leaked (as this is almost always the case), but also how relevant such a leakage might become, as an under- and over-approximation of the actual degree of values degradation. The analysis captures both explicit dependences and implicit dependences, in an integrated approach. The analyser is built within the Abstract Interpretation framework on top of our previous work on datacentric semantics for verification of privacy policy compliance by mobile applications. Results of the experimental analysis on significant samples of the DroidBench library are also discussed.

[1]  Marianne Winslett,et al.  Vetting browser extensions for security vulnerabilities with VEX , 2011, CACM.

[2]  Agostino Cortesi,et al.  Privacy Analysis of Android Apps: Implicit Flows and Quantitative Analysis , 2015, CISIM.

[3]  A. Miné Weakly Relational Numerical Abstract Domains , 2004 .

[4]  Ulrich W. Kulisch,et al.  Definition of the Arithmetic Operations and Comparison Relations for an Interval Arithmetic , 2011, Reliab. Comput..

[5]  Agostino Cortesi,et al.  A suite of abstract domains for static analysis of string values , 2015, Softw. Pract. Exp..

[6]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[7]  Agostino Cortesi,et al.  SAILS: static analysis of information leakage with sample , 2012, SAC '12.

[8]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[9]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[10]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[11]  Ulrich W. Kulisch,et al.  Complete Interval Arithmetic and Its Implementation on the Computer , 2009, Numerical Validation in Current Hardware Architectures.

[12]  Agostino Cortesi,et al.  Datacentric Semantics for Verification of Privacy Policy Compliance by Mobile Applications , 2015, VMCAI.

[13]  Marianne Winslett,et al.  VEX: Vetting Browser Extensions for Security Vulnerabilities , 2010, USENIX Security Symposium.

[14]  Frédéric Cuppens,et al.  A Deontic Logic for Reasoning about Confidentiality , 1996, DEON.

[15]  Alan Cleary,et al.  Information flow analysis for javascript , 2011, PLASTIC '11.

[16]  Agostino Cortesi,et al.  Static Analysis of String Values , 2011, ICFEM.

[17]  Pietro Ferrara,et al.  MorphDroid: Fine-grained Privacy Verification , 2015, ACSAC.

[18]  Michael Hicks,et al.  Fable: A Language for Enforcing User-defined Security Policies , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[19]  Stefano Calzavara,et al.  HornDroid: Practical and Sound Static Analysis of Android Applications by SMT Solving , 2017 .

[20]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[21]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[22]  Julia Rubin,et al.  A Bayesian Approach to Privacy Enforcement in Smartphones , 2014, USENIX Security Symposium.

[23]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[24]  Stephen McCamant,et al.  Quantitative information flow as network flow capacity , 2008, PLDI '08.

[25]  Agostino Cortesi,et al.  Control Flow Analysis of Mobile Ambients with Security Boundaries , 2002, FMOODS.

[26]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.