Highly precise taint analysis for Android applications

Fritz, Christian; Arzt, Steven; Rasthofer, Siegfried; Bodden, Eric; Bartel, Alexandre; Klein, Jacques; Le Traon, Yves; Octeau, Damien; McDaniel, Patrick

Reference : Highly precise taint analysis for Android applications


	Document type :	Reports : Other
	Discipline(s) :	Engineering, computing & technology : Computer science
	To cite this reference:	http://hdl.handle.net/10993/25162

Title :	Highly precise taint analysis for Android applications
Language :	English
Author, co-author :	Fritz, Christian [> >]
	Arzt, Steven [> >]
	Rasthofer, Siegfried [> >]
	Bodden, Eric [> >]
	Bartel, Alexandre [> >]
	Klein, Jacques [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC)]
	Le Traon, Yves [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)]
	Octeau, Damien [> >]
	McDaniel, Patrick [> >]
Publication date :	8-Mar-2013
Abstract :	[en] Today’s smart phones are a ubiquitous source of private and confidential data. At the same time, smartphone users are plagued by malicious apps that exploit their given privileges to steal such sensitive data, or to track users without their consent or even the users noticing. Dynamic program analyses fail to discover such malicious activity because apps have learned to recognize the analyses as they execute. In this work we present FlowDroid, a novel and highly precise taint analysis for Android applications. A precise model of Android’s lifecycle allows the analysis to properly handle callbacks, while context, flow, field and objectsensitivity allows the analysis to track taints with a degree of precision unheard of from previous Android analyses. We also propose DroidBench, an open test suite for evaluating the e↵ectiveness and accuracy of taint-analysis tools specifically for Android apps. As we show through a set of experiments using SecuriBench Micro, DroidBench and a set of well-known Android test applications, our approach finds a very high fraction of data leaks while keeping the rate of false positives low. On DroidBench, our approach achieves 93% recall and 86% precision, greatly outperforming the commercial tools AppScan Source and Fortify SCA.
Permalink :	http://hdl.handle.net/10993/25162

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Open access	Highly Precise Taint Analysis for Android Application.pdf		Publisher postprint	722.4 kB	View/Open

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices