MonkeyDroid: Detecting Unreasonable Privacy Leakages of Android Applications

  • Kai Ma
  • Mengyang Liu
  • Shanqing Guo
  • Tao Ban
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9491)


Static and dynamic taint-analysis approaches have been developed to detect the processing of sensitive information. Unfortunately, faced with the result of analysis about operations of sensitive information, people have no idea of which operation is legitimate operation and which is stealthy malicious behavior. In this paper, we present Monkeydroid to pinpoint automatically whether the android application would leak sensitive information of users by distinguishing the reasonable and unreasonable operation of sensitive information on the basis of information provided by developer and market provider. We evaluated Monkeydroid over the top 500 apps on the Google play and experiments show that our tool can effectively distinguish malicious operations of sensitive information from legitimate ones.


Android security Privacy leakage detection Static taint analysis Natural language processing 


This work is partially supported by National Natural Science Foundation of China (61173068, 61173139), Program for New Century Excellent Talents in University of the Ministry of Education, the Key Science Technology Project of Shandong Province (2014GGD01063), the Independent Innovation Foundation of Shandong Province(2014CGZH1106) and the Shandong Provincial Natural Science Foundation (ZR2014FM020, ZR2014FM031).


  1. 1.
  2. 2.
    Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android applications. Manuscript, University of Maryland 2(3), (2009).
  3. 3.
    Gibler, C., Crussell, J., Erickson, J., Chen, H.: AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 291–307. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  4. 4.
    Lu, L., Li, Z., Wu, Z., et al.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 229–240. ACM (2012)Google Scholar
  5. 5.
    Enck, W., Gilbert, P., Han, S., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)CrossRefGoogle Scholar
  6. 6.
    Rastogi, V., Chen, Y., Enck, W.: AppsPlayground: automatic security analysis of smartphone applications. In: Proceedings of the third ACM Conference on Data and Application Security and Privacy, pp. 209–220. ACM (2013)Google Scholar
  7. 7.
    Pandita, R., Xiao, X., Zhong, H., et al.: Inferring method specifications from natural language API descriptions. In: Proceedings of the 34th International Conference on Software Engineering, pp. 815–825. IEEE Press (2012)Google Scholar
  8. 8.
    Arzt, S., Rasthofer, S., Fritz, C., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Not. 49(6), 259–269 (2014). ACMCrossRefGoogle Scholar
  9. 9.
    Pandita, R., Xiao, X., Yang, W., et al.: WHYPER: towards automating risk assessment of mobile applications. In: USENIX Security 2013 (2013)Google Scholar
  10. 10.
    Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing android sources and sinks. In: 2014 Network and Distributed System Security Symposium (NDSS), February 2014, to appear.

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of Computer Science and TechnologyShandong UniversityJinanChina
  2. 2.NICTTokyoJapan

Personalised recommendations