ADS-SA: System for Automatically Detecting Sensitive Path of Android Applications Based on Static Analysis

  • Hong SongEmail author
  • Dandan Lin
  • Shuang Zhu
  • Weiping Wang
  • Shigeng Zhang
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1122)


With the booming mobile Internet and Android App market, Android security issues have become increasingly prominent. As the main way for information disclosure in Android Apps, sensitive path has become an important part of Android security research. Aiming at the problem that static analysis cannot verify whether the sensitive path is triggered by reality, this paper proposes a system ADS-SA based on static analysis to automatically detect sensitive path. The system first constructs an Android component conversion diagram through data flow analysis, and then obtains an Android function call graph through control flow analysis. Secondly, the sensitive path backtracking algorithm is designed and used to obtain the sensitive path set. Finally, the automated testing framework, Appium, is used to trigger and verify the authenticity of the sensitive path set. The test results show that the ADS-SA can automatically detect more than 87% of sensitive paths at a low time cost with high reliability and effectiveness.


Android security Static analysis Sensitive path Automated trigger Automated detection 


  1. 1.
    CNCERT: Analysis of the proportion of domestic operating systems and browsers in the third quarter of 2018 [EB/OL], 21 November 2018. Accessed 16 Mar 2019
  2. 2.
    Rountev, A., Yan, D.: Static reference analysis for GUI objects in Android software. In: Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization, pp. 143–154. ACM (2014)Google Scholar
  3. 3.
    Yang, S., Yan, D., Wu, H., et al.: Static control-flow analysis of user-driven callbacks in Android applications. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, vol. 1, pp. 89–99. IEEE (2015)Google Scholar
  4. 4.
    Chen, X., Zhu, S.: DroidJust: automated functionality-aware privacy leakage analysis for Android applications. In: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, p. 5. ACM (2015)Google Scholar
  5. 5.
    Au, K.W.Y., Zhou, Y.F., Huang, Z., et al.: PScout: analyzing the Android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 217–228. ACM (2012)Google Scholar
  6. 6.
    Bai, G., Ye, Q., Wu, Y., et al.: Towards model checking Android applications. IEEE Trans. Softw. Eng. 44(6), 595–612 (2018)CrossRefGoogle Scholar
  7. 7.
    Yang, Z., Yang, M., Zhang, Y., et al.: Appintent: analyzing sensitive data transmission in Android for privacy leakage detection. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 1043–1054. ACM (2013)Google Scholar
  8. 8.
    Onwuzurike, L., Almeida, M., Mariconti, E., et al.: A family of droids–Android malware detection via behavioral modeling: static vs dynamic analysis. arXiv preprint arXiv:1803.03448 (2018)
  9. 9.
    Su, T., Meng, G., Chen, Y., et al.: Guided, stochastic model-based GUI testing of Android apps. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, pp. 245–256. ACM (2017)Google Scholar
  10. 10.
    Sun, Y.S., Chen, C.-C., Hsiao, S.-W., Chen, M.C.: ANTSdroid: automatic malware family behaviour generation and analysis for Android apps. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 796–804. Springer, Cham (2018). Scholar
  11. 11.
    Zheng, M., Sun, M., Lui, J.C.S.: DroidTrace: a ptrace based Android dynamic analysis system with forward execution capability. In: 2014 International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 128–133. IEEE (2014)Google Scholar
  12. 12.
    Kabakus, A.T., Dogru, I.A.: An in-depth analysis of Android malware using hybrid techniques. Digit. Invest. 24, 25–33 (2018)CrossRefGoogle Scholar
  13. 13.
    Hans, M.: Appium Essentials, pp. 19–29. Packt Publishing Ltd. (2015)Google Scholar
  14. 14.
    Choudhary, S.R., Gorla, A., Orso, A.: Automated test input generation for Android: are we there yet? In: 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 429–440. IEEE (2015)Google Scholar
  15. 15.
    Zhang, J., Qin, Z., Zhang, K., et al.: Dalvik opcode graph based Android malware variants detection using global topology features. IEEE Access 6, 51964–51974 (2018)CrossRefGoogle Scholar
  16. 16.
    Li, L., Bartel, A., Bissyandé, T.F., et al.: IccTa: detecting inter-component privacy leaks in Android apps. In: Proceedings of the 37th International Conference on Software Engineering, vol. 1, pp. 280–291. IEEE Press (2015)Google Scholar
  17. 17.
    Sun, C., Zhang, H., Qin, S., et al.: DexX: a double layer unpacking framework for Android. IEEE Access 6, 61267–61276 (2018)CrossRefGoogle Scholar
  18. 18.
    Adamo, D., Nurmuradov, D., Piparia, S., et al.: Combinatorial-based event sequence testing of Android applications. Inf. Softw. Technol. 99, 98–117 (2018)CrossRefGoogle Scholar
  19. 19.
    Wei, S., Wu, G., Luo, N., et al.: DroidBet: event-driven automatic detection of network behaviors for Android applications. J. Commun. 38(5), 84–95 (2017)Google Scholar
  20. 20.
    Garg, S.: Creating automation frameworks using Appium. In: Appium Recipes, pp. 101–127. Apress, Berkeley (2016)CrossRefGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  • Hong Song
    • 1
    Email author
  • Dandan Lin
    • 1
  • Shuang Zhu
    • 1
  • Weiping Wang
    • 1
  • Shigeng Zhang
    • 1
  1. 1.School of Computer Science and EngineeringCentral South UniversityChangshaChina

Personalised recommendations