[en] Today’s smart phones are a ubiquitous source of private and
confidential data. At the same time, smartphone users are
plagued by malicious apps that exploit their given privileges
to steal such sensitive data, or to track users without their
consent or even the users noticing. Dynamic program analyses
fail to discover such malicious activity because apps have
learned to recognize the analyses as they execute.
In this work we present FlowDroid, a novel and highly
precise taint analysis for Android applications. A precise
model of Android’s lifecycle allows the analysis to properly
handle callbacks, while context, flow, field and objectsensitivity
allows the analysis to track taints with a degree
of precision unheard of from previous Android analyses.
We also propose DroidBench, an open test suite for
evaluating the e↵ectiveness and accuracy of taint-analysis
tools specifically for Android apps. As we show through a set
of experiments using SecuriBench Micro, DroidBench and
a set of well-known Android test applications, our approach
finds a very high fraction of data leaks while keeping the
rate of false positives low. On DroidBench, our approach
achieves 93% recall and 86% precision, greatly outperforming
the commercial tools AppScan Source and Fortify SCA.
Disciplines :
Sciences informatiques
Auteur, co-auteur :
Fritz, Christian
Arzt, Steven
Rasthofer, Siegfried
Bodden, Eric
BARTEL, Alexandre ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
KLEIN, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC)
LE TRAON, Yves ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Octeau, Damien
McDaniel, Patrick
Langue du document :
Anglais
Titre :
Highly precise taint analysis for Android applications
