Abstract
Intents are Android’s intra- and inter-application communication mechanism. They specify an action to perform, with extra data, and are sent to a receiver component or broadcast to many components. Components, in the same or in a distinct app, receive the intent if they are available to perform the desired action. Hence, a sound static analyzer must be aware of information flows through intents. That can be achieved by considering intents as both source (when reading) and sink (when writing) of confidential data. But this is overly conservative if the intent stays inside the same app or if the set of apps installed on the device is known in advance. In such cases, a sound approximation of the flow of intents leads to a more precise analysis. This work describes SDLI, a novel static analyzer that, for each app, creates an XML summary file reporting a description of the tainted information in outwards intents and of the intents the app is available to serve. SDLI discovers confidential information leaks when two apps communicate, by matching their XML summaries, looking for tainted outwards intents of the first app that can be inwards intents of the second app. The tool is implemented inside Julia, an industrial static analyzer. On the DroidBench test cases, its shows a precision higher than 75%. On some popular apps from the Google Play marketplace, it spots inter-apps leaks of confidential data, hence showing its practical effectiveness.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This paper is a revised and extended version of [27].
- 2.
- 3.
Examples are from https://developer.android.com/guide/components/intents-filters.html, where the reader can find further details.
- 4.
- 5.
- 6.
The source code of all these apps can be found at https://github.com/secure-software-engineering/DroidBench/tree/master/eclipse-project/InterComponentCommunication,commit2521ba5a222d13fabdd75f94c9f2e646e346f868.
- 7.
- 8.
We removed three apps because both apktool and dex2jar crashed on them and we could not analyze them.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
References
Andersen, L.O.: Program analysis and specialization for the C programming language. University of Copenhagen, DIKU (1994). Ph.D. thesis
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of Programming Language Design and Implementation (PLDI), Edinburgh, UK, June 2014, p. 29 (2014)
Bartel, A., Klein, J., Le Traon, Y., Monperrus, M.: Dexpler: converting android Dalvik bytecode to jimple for static analysis with soot. In: Proceedings of State of the Art in Java Program Analysis (SOAP) (2012)
Bhandari, S., Jaballah, W.B., et al.: Android inter-app communication threats and detection techniques. Comput. Secur. 70, 392–421 (2017)
Bryant, R.: Symbolic Boolean manipulation with ordered binary-decision diagrams. ACM Comput. Surv. 24(3), 293–318 (1992)
Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O.: Datacentric semantics for verification of privacy policy compliance by mobile applications. In: Verification, Model Checking, and Abstract Interpretation - 16th International Conference, VMCAI 2015, Mumbai, India, 12–14 January 2015, pp. 61–79 (2015)
Cortesi, A., Olliaro, M.: M-string segmentation: a refined abstract domain for string analysis in C programs. In: 2018 International Symposium on Theoretical Aspects of Software Engineering, TASE 2018, Guangzhou, China, 29–31 August 2018, pp. 1–8 (2018)
Cortesi, A., Ferrara, P., Halder, R., Zanioli, M.: Combining symbolic and numerical domains for information leakage analysis. In: Transactions on Computational Science 31. LNCS, vol. 10730, pp. 98–135 (2018)
Costantini, G., Ferrara, P., Cortesi, A.: A suite of abstract domains for static analysis of string values. Softw. Pract. Exp. 45(2), 245–287 (2015)
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of Principles of Programming Languages (POPL), pp. 238–252 (1977)
Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P.D., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 5:1–5:29 (2014)
Ernst, M.D., Lovato, A., Macedonio, D., Spiridon, C., Spoto, F.: Boolean formulas for the static identification of injection attacks in java. In: Proceedings of logic for programming, artificial intelligence, and reasoning (LPAR-20), Suva, Fiji. LNCS, vol. 9450, pp. 130–145 (2015)
Ferrara, P., Cortesi, A., Spoto, F.: From cil to java bytecode: semantics-based translation for static analysis leveraging. Sci. Comput. Program. 191, (2020)
Ferrara, P., Mandal, A.K., Cortesi, A., Spoto, F.: Cross-programming language taint analysis for the iot ecosystem. In: ECEASST, vol. 77 (2019)
Halder, Raju: Cortesi, Agostino: Abstract interpretation of database query languages. Comput. Lang. Syst. Struct. 38(2), 123–157 (2012)
Jana, A., Halder, R., Kalahasti, A., Ganni, S., Cortesi, A.: Extending abstract interpretation to dependency analysis of database applications. IEEE Trans. Softw, Eng (2020)
Li, L., Bartel, A., Bissyandé, T.F., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.D.: IccTA: detecting inter-component privacy leaks in android apps. In: Proceedings of the International Conference on Software Engineering (ICSE), Florence, Italy, pp. 280–291 (2015)
Livshits, B., Sridharan, M., Smaragdakis, Y., Lhoták, O., Amaral, J.N., Chang, B.E., Guyer, S.Z., Khedker, U.P., Møller, A., Vardoulakis, D.: In defense of soundiness: a manifesto. Commun. ACM 58(2), 44–46 (2015)
Mandal, A.K., Cortesi, A., Ferrara, P., Panarotto, F., Spoto, F.: Vulnerability analysis of android auto infotainment apps. In: Proceedings of the 15th ACM International Conference on Computing Frontiers, CF 2018, Ischia, Italy, 08–10 May 2018, pp. 183–190 (2018)
Mandal, A.K., Panarotto, F., Cortesi, A., Ferrara, P., Spoto, F.: Static analysis of android auto infotainment and on-board diagnostics II apps. Softw. Pract. Exp. 49(7), 1131–1161 (2019)
Octeau, D., Jha, S., McDaniel, P.D.: Retargeting android applications to java bytecode. In: Proceedings of Foundations of Software Engineering (FSE), Cary, NC, USA (2012)
Octeau, D., Luchaup, D., Jha, S., McDaniel, P.D.: Composite constant propagation and its application to android program analysis. IEEE Trans. Softw. Eng. 42(11), 999–1014 (2016)
Octeau, D., McDaniel, P.D., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android: an essential step towards holistic security analysis. In: Proceedings of USENIX Security, Washington, DC, USA, pp. 543–558 (2013)
Payet, É., Spoto, F.: Static analysis of android programs. Inf. Softw. Technol. 54(11), 1192–1201 (2012)
Rasthofer, S., Arzt, S., Bodden, E.: A Machine-learning approach for classifying and categorizing android sources and sinks. In: Proceedings of Network and Distributed System Security (NDSS), San Diego, California, USA (2014)
Sadeghi, A., Bagheri, H., Garcia, J., Malek, S.: A taxonomy and qualitative comparison of program analysis techniques for security assessment of android software. IEEE Trans. Softw. Eng. 43(6), 492–530 (2017)
Salvia, R., Ferrara, P., Spoto, F., Cortesi, A.: SDLI: static detection of leaks across intents. In: 17th IEEE International Conference on Trust, Security And Privacy, TrustCom2018, New York, NY, USA, 1–3 August 2018, pp. 1002–1007 (2018)
Spoto, F.: The Julia static analyzer for java. In: Proceedings of Static Analysis Symposium (SAS). Lecture Notes in Computer Science, vol. 9837, pp. 39–57, Edinburgh, UK (2016)
Vallée-Rai, R., Gagnon, E., Hendren, L.J., Lam, P., Pominville, P., Sundaresan, V.: Optimizing java bytecode using the soot framework: is it feasible? In: Proceedings of Compiler Contruction (CC), Berlin, Germany. Lecture Notes in Computer Science, vol. 1781, pp. 18–34 (2000)
Wei, F., Roy, S., Ou, X., Robby: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of Computer and Communication Security (CCS), Scottsdale, AZ, USA, pp. 1329–1341 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Salvia, R., Cortesi, A., Ferrara, P., Spoto, F. (2021). Intents Analysis of Android Apps for Confidentiality Leakage Detection. In: Chaki, R., Cortesi, A., Saeed, K., Chaki, N. (eds) Advanced Computing and Systems for Security. Advances in Intelligent Systems and Computing, vol 1178. Springer, Singapore. https://doi.org/10.1007/978-981-15-5747-7_4
Download citation
DOI: https://doi.org/10.1007/978-981-15-5747-7_4
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-5746-0
Online ISBN: 978-981-15-5747-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)