Information-Flow Analysis of Android Applications in DroidSafe
Download: Paper (PDF)
Date: 8 Feb 2015
Document Type: Briefing Papers
Additional Documents: Slides
Associated Event: NDSS Symposium 2015
Abstract:
We present DroidSafe, a static information flow analysis tool that reports potential leaks of sensitive information in Android applications. DroidSafe includes a comprehensive model of the Android API and runtime, built on top of the Android Open Source Project implementation of the Android API. This model accurately captures the data-flow and aliasing semantics of API calls, life-cycle event handlers, callback handlers, and native methods. DroidSafe includes an analysis to statically resolve dynamic inter-component communication linkage mechanisms, enabling DroidSafe to precisely track intent- and message- and RPC-mediated information flows that traverse multiple Android components. The DroidSafe information flow analysis has high-depth heap and method object-sensitivity, and the analysis considers all possible interleavings of life-cycle events and callback handlers. We also present several domain-specific analyses that significantly enhance DroidSafe’s ability to successfully analyze Android applications. We evaluate DroidSafe on a suite of 24 real-world Android applications that contain malicious information leaks. These applications were developed by independent, hostile Red Team organizations. The malicious flows in these applications were designed specifically to evade or overwhelm information flow analysis tools. DroidSafe detects all of the malicious flows in all 24 applications. We compare DroidSafe to a current state-of-the-art analysis, which detects malicious flows in only 3 of these applications. We also evaluate DroidSafe on DroidBench version 1.2, a suite of 65 independently-developed Android micro-applications designed to evaluate the capabilities of information flow analysis systems. We report the highest information flow precision and recall to date for DroidBench 1.2.