Abstract
Android apps cooperate through message passing via intents. However, when apps have disparate sets of privileges inter-app communication (IAC) can accidentally or maliciously be misused, e.g., to leak sensitive information contrary to users’ expectations. Recent research has considered static program analysis to detect dangerous data leaks due to inter-component communication (ICC), but suffers from shortcomings for IAC with respect to precision, soundness, and scalability.
As a remedy we propose a novel pre-analysis for static ICC/IAC analysis. Our main contribution is the first fully automatic ICC/IAC information flow analysis that is scalable for realistic apps due to modularity, avoiding combinatorial explosion: Our approach determines communicating apps using short summaries rather than inlining intent calls between components and apps, which entails simultaneously analyzing all apps installed on a device.
Using benchmarks we establish that IIFA outperforms state-of-the-art analyses in terms of precision and recall. But foremost, applied to the 90 most popular applications from the Google Playstore, IIFA demonstrated its scalability to a large corpus of real-world apps.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
getXXXExtra methods retrieve type-specific data from a received intent that has been added through the corresponding putExtra method.
- 2.
The getXXXExtra’s key is determined via backward slicing.
- 3.
We utilize the categorization of sources and sinks from R-Droid [3].
- 4.
- 5.
Note that any other tool that resolves intra-component flows (in particular those of Table 3 except for DIALDroid) would also have been a possible base analysis, but may have interfered with our ICC/IAC model.
References
2.0, A.: Apktool. GitHub, July 2017. https://ibotpeaches.github.io/Apktool/
Arzt, S., Rasthofer, S., Fritz, E.A.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Not. 49(6), 259–269 (2014)
Backes, M., Bugiel, S., Derr, E., Gerling, S., Hammer, C.: R-droid: Leveraging android app analysis with static slice optimization. In: 11th ACM on ASIACCS. pp. 129–140. ACM (2016)
Bosu, A., Liu, F., Yao, D.D., Wang, G.: Collusive data leak and more: large-scale threat analysis of inter-app communications. In: AsiaCCS 2017, Abu Dhabi, United Arab Emirates, April 2–6, 2017, pp. 71–85 (2017)
Chan, P.P., Hui, L.C., Yiu, S.M.: Droidchecker: analyzing android applications for capability leak. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 125–136. ACM (2012)
Christian Fritz, S.A., Rasthofer, S.: Droid-benchmarks. https://github.com/secure-software-engineering/DroidBench. Accessed Dec 2017
Freke, J.: Baksmali. https://github.com/JesusFreke/smali
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android. University of Maryland, Technical report (2009)
Google: Android intent documentation. https://developer.android.com/reference/android/content/Intent.html. Accessed May 2017
Google: Dalvik byteycode documentation. https://source.android.com/devices/tech/dalvik/dalvik-bytecode. Accessed May 2017
Gordon, M.I., Kim, D., Perkins, J.H., Gilham, L., Nguyen, N., Rinard, M.C.: Information flow analysis of android applications in droidsafe. In: NDSS (2015)
Grech, N., Kastrinis, G., Smaragdakis, Y.: Efficient reflection string analysis via graph coloring. In: Millstein, T. (ed.) ECOOP. vol. 109, pp. 26:1–26:25 (2018)
IBM: Ibm security appscan source. https://www-03.ibm.com/software/products/en/appscan. Accessed May 2017
Klieber, W., Flynn, L., Bhosale, A., Jia, L., Bauer, L.: Android taint flow analysis for app sets. In: Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, pp. 1–6. ACM (2014)
Li, L.: Apk combiner. GitHub, December 2014. https://github.com/lilicoding/ApkCombiner
Li, L., Bartel, A., Bissyandé, E.A.: Iccta: detecting inter-component privacy leaks in android apps. In: Proceedings of the 37th International Conference on Software Engineering, vol. 1. pp. 280–291. IEEE Press (2015)
Oberheide, J., Miller, C.: Dissecting the android bouncer. SummerCon2012, New York (2012)
Octeau, D., Luchaup, D., Dering, M., Jha, S., McDaniel, P.: Composite constant propagation: application to android inter-component communication analysis. In: Proceedings of the 37th International Conference on Software Engineering, vol. . pp. 77–88. IEEE Press (2015)
Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android with EPICC: an essential step towards holistic security analysis. In: Proceedings of the 22nd USENIX Security Symposium,pp. 543–558 (2013)
Pauck, F., Bodden, E., Wehrheim, H.: Do android taint analysis tools keep their promises? In: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ESEC/FSE 2018, ACM, New York (2018)
Qiu, L., Wang, Y., Rubin, J.: Analyzing the analyzers: Flowdroid/ICCTA, Amandroid, and Droidsafe. In: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 176–186. ACM (2018)
Wei, F., Roy, S., Ou, X., et al.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329–1341. ACM (2014)
Zhang, Z., Feng, X.: AndroidLeaker: a hybrid checker for collusive leak in android applications. In: Larsen, K.G., Sokolsky, O., Wang, J. (eds.) SETTA 2017. LNCS, vol. 10606, pp. 164–180. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69483-2_10
Acknowledgements
This work was partially supported by the German Federal Ministry of Education and Research (BMBF) through the project SmartPriv (16KIS0760) and the German Research Foundation (DFG) via the collaborative research center “Methods and Tools for Understanding and Controlling Privacy” (SFB 1223), project B02.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Tiwari, A., Groß, S., Hammer, C. (2019). IIFA: Modular Inter-app Intent Information Flow Analysis of Android Applications. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 305. Springer, Cham. https://doi.org/10.1007/978-3-030-37231-6_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-37231-6_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37230-9
Online ISBN: 978-3-030-37231-6
eBook Packages: Computer ScienceComputer Science (R0)