[en] Shake Them All is a popular "Wallpaper" application exceeding millions of downloads on Google Play. At installation, this application is given permission to (1) access the Internet (for updating wallpapers) and (2) use the device microphone (to change background following noise changes). With these permissions, the application could silently record user conversations and upload them remotely. To give more confidence about how Shake Them All actually processes what it records, it is necessary to build a precise analysis tool that tracks the flow of any sensitive data from its source point to any sink, especially if those are in different components.
Since Android applications may leak private data carelessly or maliciously, we propose IccTA, a static taint analyzer to detect privacy leaks among components in Android applications. IccTA goes beyond state-of-the-art approaches by supporting inter-component detection. By propagating context information among components, IccTA improves the precision of the analysis. IccTA outperforms existing tools on two benchmarks for ICC-leak detectors: DroidBench and ICC-Bench. Moreover, our approach detects 534 ICC leaks in 108 apps from MalGenome and 2,395 ICC leaks in 337 apps in a set of 15,000 Google Play apps.
Disciplines :
Computer science
Author, co-author :
Li, Li ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
BARTEL, Alexandre ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Klein, Jacques ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Le Traon, Yves ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Arzt, Steven; TU Darmstadt
Rasthofer, Siegfried; TU Darmstadt
Bodden, Eric; TU Darmstadt
Octeau, Damien; Pennsylvania State University
McDaniel, Patrick; Pennsylvania State University
Language :
English
Title :
IccTA: Detecting Inter-Component Privacy Leaks in Android Apps
Publication date :
2015
Event name :
2015 IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE 2015)
Event date :
from 16-05-2015 to 24-05-2015
Audience :
International
Main work title :
2015 IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE 2015)
Ibm security appscan source. http://www-03.ibm.com/software/products/en/appscan-source. Accessed: Feb. 2015.
Intents and intent filters. http://developer.android.com/guide/components/intents-filters.html. Accessed: Feb. 2015.
T. j. watson libraries for analysis. http://wala.sourceforge.net. Accessed: Feb. 2015.
S. Arzt, S. Rasthofer, and E. Bodden. Instrumenting android and java applications as easy as abc. In Runtime Verification, pages 364-381. Springer, 2013.
S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the 35th annual ACM SIGPLAN conference on Programming Language Design and Implementation (PLDI 2014), 2014.
M. Backes, S. Gerling, C. Hammer, M. Maffei, and P. von Styp- Rekowsky. Appguard: Enforcing user requirements on android apps. In Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS'13, pages 543-548, Berlin, Heidelberg, 2013. Springer-Verlag.
A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus. Automatically securing permission-based software by reducing the attack surface: An application to android. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, ASE 2012, pages 274-277, New York, NY, USA, 2012. ACM.
A. Bartel, J. Klein, M. Monperrus, K. Allix, and Y. Le Traon. Improving privacy on android smartphones through in-vivo bytecode instrumentation. Technical report, May 2012.
A. Bartel, J. Klein, M. Monperrus, and Y. Le Traon. Dexpler: Converting android dalvik bytecode to jimple for static analysis with soot. In ACM Sigplan International Workshop on the State Of The Art in Java Program Analysis, 2012.
A. Bartel, J. Klein, M. Monperrus, and Y. Le Traon. Static analysis for extracting permission checks of a large scale framework: The challenges and solutions for analyzing android. IEEE Transactions on Software Engineering (TSE), 2014.
E. Bodden. Inter-procedural data-flow analysis with ifds/ide and soot. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis, SOAP '12, pages 3-8, 2012.
E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing interapplication communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, MobiSys '11, pages 239-252, New York, NY, USA, 2011. ACM.
L. Corral, A. B. Georgiev, A. Sillitti, G. Succi, and T. Vachkov. Analysis of offloading as an approach for energy-aware applications on android os: A case study on image processing. In Mobile Web Information Systems, pages 29-40. Springer, 2014.
M. Egele, C. Kruegel, E. Kirda, and G. Vigna. Pios: Detecting privacy leaks in ios applications. In The Network and Distributed System Security Symposium (NDSS 2011), 2011.
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, volume 10, pages 255- 270, 2010.
W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of android application security. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 21-21, Berkeley, CA, USA, 2011. USENIX Association.
S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why eve and mallory love android: An analysis of android ssl (in) security. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 50-61. ACM, 2012.
A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 3-14. ACM, 2011.
A. P. Fuchs, A. Chaudhuri, and J. S. Foster. Scandroid: Automated security certification of android applications. Manuscript, Univ. of Maryland, http://www. cs. umd. edu/avik/projects/scandroidascaa, 2009.
C. Gibler, J. Crussell, J. Erickson, and H. Chen. Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scale. In Proceedings of the 5th international conference on Trust and Trustworthy Computing, TRUST'12, pages 291-307, Berlin, Heidelberg, 2012. Springer-Verlag.
M. Haris, H. Haddadi, and P. Hui. Privacy leakage in mobile computing: Tools, methods, and characteristics. arXiv preprint arXiv:1410.4978, 2014.
P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These aren't the droids you're looking for: Retrofitting android to protect data from imperious applications. In Proceedings of the 18th ACM conference on Computer and communications security, pages 639-652. ACM, 2011.
J. Huang, X. Zhang, L. Tan, P. Wang, and B. Liang. AsDroid: Detecting stealthy behaviors in android applications by user interface and program behavior contradiction. In Proceedings of the IEEE/ACM International Conference on Software Engineering (ICSE), May 2014.
J. Kim, Y. Yoon, K. Yi, and J. Shin. ScanDal: Static analyzer for detecting privacy leaks in android applications. In H. Chen, L. Koved, and D. S. Wallach, editors, MoST 2012: Mobile Security Technologies 2012, Los Alamitos, CA, USA, May 2012. IEEE.
W. Klieber, L. Flynn, A. Bhosale, L. Jia, and L. Bauer. Android taint flow analysis for app sets. In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, pages 1-6. ACM, 2014.
P. Lam, E. Bodden, O. Lhoták, and L. Hendren. The soot framework for java program analysis: A retrospective. In Cetus Users and Compiler Infastructure Workshop (CETUS 2011), 2011.
L. Li, A. Bartel, J. Klein, and Y. Le Traon. Automatically exploiting potential component leaks in android applications. In Proceedings of the 13th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2014). IEEE, 2014.
L. Li, A. Bartel, J. Klein, and Y. Le Traon. Detecting privacy leaks in android apps. International Symposium on Engineering Secure Software and Systems - Doctoral Symposium (ESSoS-DS2014), 2014.
L. Li, A. Bartel, J. Klein, Y. Le Traon, S. Arzt, R. Siegfried, E. Bodden, D. Octeau, and P. Mcdaniel. I know what leaked in your pocket: Uncovering privacy leaks on Android Apps with Static Taint Analysis. Technical Report 978-2-87971-129-4 TR-SNT-2014-9, Apr. 2014.
M. Linares-Vásquez, G. Bavota, C. Bernal-Cárdenas, R. Oliveto, M. Di Penta, and D. Poshyvanyk. Mining energy-greedy api usage patterns in android apps: An empirical study. In Proceedings of the 11th Working Conference on Mining Software Repositories, pages 2-11. ACM, 2014.
L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 229-240. ACM, 2012.
S. Malek, H. Bagheri, and A. Sadeghi. Automated detection and mitigation of inter-application security vulnerabilities in android (invited talk). In International Workshop on Software Development Lifecycle for Mobile (DeMobile), November 2014.
C. Mann and A. Starostin. A framework for static detection of privacy leaks in android applications. In Proceedings of the 27th Annual ACM Symposium on Applied Computing, pages 1457-1462. ACM, 2012.
D. Octeau, D. Luchaup, M. Dering, S. Jha, and P. McDaniel. Composite constant propagation: Application to android inter-component communication analysis. In Proceedings of the 37th International Conference on Software Engineering (ICSE), 2015.
D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. Le Traon. Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In Proceedings of the 22nd USENIX Security Symposium, 2013.
S. Rasthofer, S. Arzt, and E. Bodden. A machine-learning approach for classifying and categorizing android sources and sinks. In 21st Annual Network & Distributed System Security Symposium (NDSS), 2014.
A. Reina, A. Fattori, and L. Cavallaro. A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In Proceedings of the sixth European Workshop on Systems Security (EuroSec), 2013.
G. Sarwar, O. Mehani, R. Boreli, and D. Kaafar. On the effectiveness of dynamic taint analysis for protecting against private information leaks on android-based devices. In 10th International Conference on Security and Cryptography (SECRYPT), 2013.
D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan. Smvhunter: Large scale, automated detection of ssl/tls man-in-The-middle vulnerabilities in android apps. In Proceedings of the 2014 Annual Network & Distributed System Security Symposium (NDSS), 2014.
O. Tripp, M. Pistoia, P. Cousot, R. Cousot, S. Guarnieri, et al. Andromeda: Accurate and scalable security analysis of web applications. In FASE-International Conference, FASE 2013, Held as Part of the European Joint Conferences on Theory and Practice of Software-2013, volume 7793, pages 210-225, 2013.
O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. Taj: Effective taint analysis of web applications. In ACM Sigplan Notices, volume 44, pages 87-97. ACM, 2009.
F. Wei, S. Roy, X. Ou, and Robby. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In Proceedings of the 2014 ACM conference on Computer and communications security (CCS 2014), 2014.
L. Wu, M. Grace, Y. Zhou, C. Wu, and X. Jiang. The impact of vendor customizations on android security. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 623-634. ACM, 2013.
R. Xu, H. Säidi, and R. Anderson. Aurasium: Practical policy enforcement for android applications. In Proceedings of the 21st USENIX conference on Security symposium, Security'12, pages 27-27, Berkeley, CA, USA, 2012. USENIX Association.
Z. Yang and M. Yang. Leakminer: Detect information leakage on android with static taint analysis. In Third World Congress on Software Engineering (WCSE 2012), pages 101-104, 2012.
Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 1043-1054. ACM, 2013.
Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 95-109. IEEE, 2012.
Y. Zhou and X. Jiang. Detecting passive content leaks and pollution in android applications. In Proceedings of the 20th Network and Distributed System Security Symposium, (NDSS), 2013.
Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the 19th Network and Distributed System Security Symposium, (NDSS), 2012.