DAPA: Degradation-Aware Privacy Analysis of Android Apps

  • Gianluca Barbon
  • Agostino Cortesi
  • Pietro Ferrara
  • Enrico Steffinlongo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9871)

Abstract

When installing or executing an app on a smartphone, we grant it access to part of our (possibly confidential) data stored in the device. Traditional information-flow analyses aim to detect whether such information is leaked by the app to the external (untrusted) environment. The static analyser we present in this paper goes one step further. Its aim is to trace not only if information is possibly leaked (as this is almost always the case), but also how relevant such a leakage might become, as an under- and over-approximation of the actual degree of values degradation. The analysis captures both explicit dependences and implicit dependences, in an integrated approach. The analyser is built within the Abstract Interpretation framework on top of our previous work on datacentric semantics for verification of privacy policy compliance by mobile applications. Results of the experimental analysis on significant samples of the DroidBench library are also discussed.

References

  1. 1.
    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Traon, Y.L., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI. ACM (2014)Google Scholar
  2. 2.
    Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: vetting browser extensions for security vulnerabilities. In: USENIX Security. USENIX Association (2010)Google Scholar
  3. 3.
    Barbon, G., Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O.: Privacy analysis of android apps: implicit flows and quantitative analysis. In: Saeed, K., Homenda, W. (eds.) CISIM 2015. LNCS, vol. 9339, pp. 3–23. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24369-6_1 CrossRefGoogle Scholar
  4. 4.
    Bohlender, G., Kulisch, U.W.: Definition of the arithmetic operations and comparison relations for an interval arithmetic. Reliable Comput. 15(1), 36–42 (2011)MathSciNetGoogle Scholar
  5. 5.
    Braghin, C., Cortesi, A., Focardi, R.: Control flow analysis of mobile ambients with security boundaries. In: Jacobs, B., Rensink, A. (eds.) FMOODS 2002. ITIFIP, vol. 81, pp. 197–212. Springer, Heidelberg (2002). doi:10.1007/978-0-387-35496-5_14 CrossRefGoogle Scholar
  6. 6.
    Calzavara, S., Grishchenko, I., Maffei, M.: Horndroid: practical and sound static analysis of android applications by SMT solving. In: EuroS&P. IEEE (2016)Google Scholar
  7. 7.
    Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for javascript. SIGPLAN Not. 44(6), 50–62 (2009)CrossRefGoogle Scholar
  8. 8.
    Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O.: Datacentric semantics for verification of privacy policy compliance by mobile applications. In: Jobstmann, B., Leino, K.R.M. (eds.) VMCAI 2016. LNCS, vol. 9583, pp. 61–79. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46081-8_4 Google Scholar
  9. 9.
    Costantini, G., Ferrara, P., Cortesi, A.: Static analysis of string values. In: Butler, M., Conchon, S., Zaïdi, F. (eds.) ICFEM 2015. LNCS, vol. 9407, pp. 505–521. Springer, Heidelberg (2011). doi:10.1007/978-3-642-24559-6_34 CrossRefGoogle Scholar
  10. 10.
    Costantini, G., Ferrara, P., Cortesi, A.: A suite of abstract domains for static analysis of string values. Softw. Pract. Exper. 45(2), 245–287 (2015)CrossRefGoogle Scholar
  11. 11.
    Cuppens, F., Demolombe, R.: A deontic logic for reasoning about confidentiality. In: DEON. ACM (1996)Google Scholar
  12. 12.
    Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI (2010)Google Scholar
  13. 13.
    Ferrara, P., Tripp, O., Pistoia, M.: Morphdroid: fine-grained privacy verification. In: ACSAC (2015)Google Scholar
  14. 14.
    Gordon, M.I., Kim, D., Perkins, J., Gilham, L., Nguyen, N., Rinard, M.: Information-flow analysis of android applications in droidsafe. In: NDSS. ACM (2015)Google Scholar
  15. 15.
    Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for javascript. In: PLASTIC. ACM (2011)Google Scholar
  16. 16.
    Kulisch, U.W.: Complete interval arithmetic and its implementation on the computer. In: Cuyt, A., Krämer, W., Luther, W., Markstein, P. (eds.) Numerical Validation in Current Hardware Architectures. LNCS, vol. 5492, pp. 7–26. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    McCamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: PLDI. ACM (2008)Google Scholar
  18. 18.
    Miné, A.: Weakly relational numerical abstract domains. Ph.D. thesis, École Polytechnique, December 2004. http://www-apr.lip6.fr/~mine/these/these-color.pdf
  19. 19.
    Secure software engineering group - Ec Spride. DroidBench. http://sseblog.ec-spride.de/tools/droidbench/
  20. 20.
    Swamy, N., Corcoran, B.J., Hicks, M.: Fable: a language for enforcing user-defined security policies. In: S&P. IEEE (2009)Google Scholar
  21. 21.
    Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web applications. In: PLDI (2009)Google Scholar
  22. 22.
    Tripp, O., Rubin, J.: A Bayesian approach to privacy enforcement in smartphones. In: USENIX Security (2014)Google Scholar
  23. 23.
    Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Krügel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: NDSS. The Internet Society (2007)Google Scholar
  24. 24.
    Wei, F., Roy, S., Ou, X., Robby.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: CCS. ACM (2014)Google Scholar
  25. 25.
    Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In: CCS. ACM (2013)Google Scholar
  26. 26.
    Zanioli, M., Ferrara, P., Cortesi, A.: SAILS: static analysis of information leakage with sample. In: SAC. ACM (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Gianluca Barbon
    • 1
  • Agostino Cortesi
    • 2
  • Pietro Ferrara
    • 3
  • Enrico Steffinlongo
    • 2
  1. 1.Université Grenoble Alpes - Inria - LIGGrenobleFrance
  2. 2.Università Ca’ FoscariVeniceItaly
  3. 3.Julia SrlVeronaItaly

Personalised recommendations