Capability Leakage Detection between Android Applications Based on Dynamic Feedback

The capability leakage of Android applications is one kind of serious vulnerabilities. It can cause other applications to leverage its functions to achieve their illegal goals. In this paper, we propose a tool which can automatically detect and confirm capability leakages of Android applications with dynamic-feedback testing. The tool utilizes context-sensitive, flow-sensitive inter-procedural data flow analysis to find key variables and instrumentation points, then it tests the application continuously by test cases generated from test log. We have made experiments on 607 most popular applications of Wandoujia in 2017, and found a total of 6,070 in 16 kinds of capability leakages. Compared with the famous IntentFuzzer, our tool is 19.38% better on the average ability to detect permission capability leakage.