survey

Public Access

*droid: Assessment and Evaluation of Android Application Analysis Tools

Authors:

Bradley Reaves,

Jasmine Bowers,

Sigmund Albert Gorski III,

Sharique Hussain,

Hamza Karachiwala,

Patrick TraynorAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 49, Issue 3

Article No.: 55, Pages 1 - 30

https://doi.org/10.1145/2996358

Published: 21 October 2016 Publication History

Abstract

The security research community has invested significant effort in improving the security of Android applications over the past half decade. This effort has addressed a wide range of problems and resulted in the creation of many tools for application analysis. In this article, we perform the first systematization of Android security research that analyzes applications, characterizing the work published in more than 17 top venues since 2010. We categorize each paper by the types of problems they solve, highlight areas that have received the most attention, and note whether tools were ever publicly released for each effort. Of the released tools, we then evaluate a representative sample to determine how well application developers can apply the results of our community’s efforts to improve their products. We find not only that significant work remains to be done in terms of research coverage but also that the tools suffer from significant issues ranging from lack of maintenance to the inability to produce functional output for applications with known vulnerabilities. We close by offering suggestions on how the community can more successfully move forward.

References

[1]

Yasemin Acar, Michael Backes, Sven Bugiel, Sascha Fahl, Patrick McDaniel, and Matthew Smith. 2016. SoK: Lessons learned from Android security research for appified software platforms. In Proceedings of the IEEE Symposium on Security and Privacy.

[2]

Jagdish Prasad Achara, Mathieu Cunche, Vincent Roca, and Aurelien Francillon. 2014. WifiLeaks: Underestimated privacy implications of the ACCESS_WIFI_STATE Android permission. In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’14).

Digital Library

[3]

D. Amalfitano, A. R. Fasolino, P. Tramontana, S. De Carmine, and A. M. Memon. 2012. Using GUI ripping for automated testing of Android applications. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (ASE’12). 258--261.

Digital Library

[4]

Androguard. 2012. Androguard Home Page. Retrieved September 24, 2016, from https://github.com/androguard/androguard.

[5]

Android Developer Documentation. 2015. Building Apps with over 65K Methods. Retrieved September 24, 2016, from http://developer.android.com/tools/building/multidex.html.

[6]

Android Developers Blog. 2009. Backward Compatibility for Android Applications. Retrieved September 24, 2016, from http://android-developers.blogspot.com/2009/04/backward-compatibility-for-android.html.

[7]

Android Developers Blog. 2011. Custom Class Loading in Dalvik. Retrieved September 24, 2016, from http://android-developers.blogspot.com/2011/07/custom-class-loading-in-dalvik.html.

[8]

Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, and Konrad Rieck. 2014. DREBIN: Effective and explainable detection of Android malware in your pocket. In Proceedings of the Symposium on Network and Distributed System Security (NDSS’14).

[9]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’14). ACM, New York, 259--269.

Digital Library

[10]

Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. PScout: Analyzing the Android permission specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. 217--228.

Digital Library

[11]

Adam J. Aviv, Benjamin Sapp, Matt Blaze, and Jonathan M. Smith. 2012. Practicality of accelerometer side channels on smartphones. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC’12). ACM, New York, NY, 41--50.

Digital Library

[12]

Baksmali. 2009. Baksmali Home Page. Retrieved September 24, 2016, from https://github.com/JesusFreke/smali.

[13]

A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus. 2012b. Automatically securing permission-based software by reducing the attack surface: An application to Android. In Proceedings of the 2012 27th IEEE/ACM International Conference on Automated Software Engineering (ASE’12). 274--277.

Digital Library

[14]

Alexandre Bartel, Jacques Klein, Yves Le Traon, and Martin Monperrus. 2012a. Dexpler: Converting Android Dalvik bytecode to Jimple for static analysis with soot. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program Analysis (SOAP’12). ACM, New York, NY, 27--38.

Digital Library

[15]

Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall. 2014. Brahmastra: Driving apps to test the security of third-party components. In Proceedings of the USENIX Security Symposium.

Digital Library

[16]

A. Bianchi, J. Corbetta, L. Invernizzi, Y. Fratantonio, C. Kruegel, and G. Vigna. 2015. What the app is that? Deception and countermeasures in the Android user interface. In Proceedings of the 2015 IEEE Symposium on Security and Privacy. 931--948.

Digital Library

[17]

Eric Bodden. 2012. Inter-procedural data-flow analysis with IFDS/IDE and soot. In Proceedings of the ACM International Workshop on State of the Art in Java Program Analysis (SOAP’12).

Digital Library

[18]

Saurabh Chakradeo, Bradley Reaves, Patrick Traynor, and William Enck. 2013. MAST: Triage for market-scale mobile malware analysis. In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’13).

Digital Library

[19]

Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang, Heqing Huang, Wei Zou, and Peng Liu. 2015. Finding unknown malice in 10 seconds: Mass vetting for new threats at the Google-Play scale. In Proceedings of the 24th USENIX Conference on Security Symposium (SEC’15). 659--674.

Digital Library

[20]

Xin Chen and Sencun Zhu. 2015. DroidJust: Automated functionality-aware privacy leakage analysis for Android applications. In Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’15). ACM, New York, NY, Article No. 5.

Digital Library

[21]

Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing inter-application communication in Android. In Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys’11).

Digital Library

[22]

Shauvik Roy Choudhary, Alessandra Gorla, and Alessandro Orso. 2015. Automated test input generation for Android: Are we there yet? In Proceedings of the 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE’15). 429--440.

Digital Library

[23]

Jonathan Crussell, Clint Gibler, and Hao Chen. 2012. Attack of the clones: Detecting cloned applications on Android markets. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’12).

[24]

Jonathan Crussell, Ryan Stevens, and Hao Chen. 2014. MAdFraud: Investigating ad fraud in Android applications. In Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys’14). ACM, New York, NY, 123--134.

Digital Library

[25]

X. Cui, J. Wang, L. C. K. Hui, Z. Xie, T. Zeng, and S. M. Yiu. 2015. WeChecker: Efficient and precise detection of privilege escalation vulnerabilities in Android apps. In Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’15). ACM, New York, 25:1--25:12.

Digital Library

[26]

Benjamin Davis and Hao Chen. 2013. RetroSkeleton: Retrofitting Android apps. In Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys’13).

Digital Library

[27]

Jeffrey Dean, David Grove, and Craig Chambers. 1995. Optimization of object-oriented programs using static class hierarchy analysis. In Proceedings of the 9th European Conference on Object-Oriented Programming (ECOOP’95). 77--101.

Digital Library

[28]

dex2jar. 2015. pxb1988/dex2jar. Retrieved September 24, 2016, from https://github.com/pxb1988/dex2jar.

[29]

Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in Android applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). ACM, New York, NY, 73--84.

Digital Library

[30]

Karim O. Elish, Danfeng Yao, and Barbara G. Ryder. 2012. User-centric dependence analysis for identifying malicious mobile apps. In Proceedings of the Workshop on Mobile Security Technologies.

[31]

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2010. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI’10).

Digital Library

[32]

William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2014. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems 32, 2, 5:1--5:29.

Digital Library

[33]

William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. 2011. A study of Android application security. In Proceedings of the USENIX Security Symposium.

Digital Library

[34]

William Enck, Machigar Ongtang, and Patrick McDaniel. 2009. Understanding Android security. IEEE Security and Privacy Magazine 7, 1, 50--57.

Digital Library

[35]

Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. 2012. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, 50--61.

Digital Library

[36]

Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android permissions demystified. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’11).

Digital Library

[37]

Yu Feng, Saswat Anand, Isil Dillig, and Alex Aiken. 2014. Apposcopy: Semantics-based detection of Android malware through static analysis. In Proceedings of the ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’14).

Digital Library

[38]

Yanick Fratantonio, Antonio Bianchi, William Robertson, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2016. TriggerScope: Towards detecting logic bombs in Android apps. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16).

[39]

Yanick Fratantonio, Aravind Machiry, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2015. CLAPP: Characterizing loops in Android applications. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE’15). ACM, New York, NY, 687--697.

Digital Library

[40]

Christian Fritz, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’14).

Digital Library

[41]

D. Gallingani, R. Gjomemo, V. N. Venkatakrishnan, and S. Zanero. 2015. Static detection and automatic exploitation of intent message vulnerabilities in Android applications. In Proceedings of the 2015 Mobile Security Technologies Workshop.

[42]

Martin Georgiev, Suman Jana, and Vitaly Shmatikov. 2014. Breaking and fixing origin-based access control in hybrid Web/mobile application frameworks. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS’14).

[43]

L. Gomez, I. Neamtiu, T. Azim, and T. Millstein. 2013. RERAN: Timing- and touch-sensitive record and replay for Android. In Proceedings of the 35th International Conference on Software Engineering (ICSE’13). 72--81.

Digital Library

[44]

Michael I. Gordon, Deokhwan Kim, Jeff Perkins, Limei Gilham, Nguyen Nguyen, and Martin Rinard. 2015. Information flow analysis of Android applications in DroidSafe. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS’15).

[45]

Michael Grace, Wu Zhou, Xuxian Jiang, and Ahmad-Reza Sadeghi. 2012. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’12).

Digital Library

[46]

Shuai Hao, Bin Liu, Suman Nath, William G. J. Halfond, and Ramesh Govindan. 2014. PUMA: Programmable UI-automation for large-scale dynamic analysis of mobile apps. In Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys’14). ACM, New York, NY, 204--217.

Digital Library

[47]

Tsung-Hsuan Ho, Daniel Dean, Xiaohui Gu, and William Enck. 2014. PREC: Practical root exploit containment for Android devices. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (CODASPY’14).

Digital Library

[48]

Heqing Huang, Sencun Zhu, Kai Chen, and Peng Liu. 2015a. From system services freezing to system server shutdown in Android: All you need is a loop in an app. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). ACM, New York, NY, 1236--1247.

Digital Library

[49]

Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang. 2015b. SUPOR: Precise and scalable sensitive user input detection for Android apps. In Proceedings of the 24th USENIX Security Symposium (USENIX Security’15). 977--992.

Digital Library

[50]

Jianjun Huang, Xiangyu Zhang, Lin Tan, Peng Wang, and Bin Liang. 2014. AsDroid: Detecting stealthy behaviors in Android applications by user interface and program behavior contradiction. In Proceedings of the International Conference on Software Engineering (ICSE’14).

Digital Library

[51]

Jinyung Kim, Yongho Yoon, Kwangkeun Yi, and Junbum Shin. 2012. ScanDal: Static analyzer for detecting privacy leaks in Android applications. In Proceedings of the Workshop on Mobile Security Technologies (MoST’12).

[52]

William Klieber, Lori Flynn, Amar Bhosale, Limin Jia, and Lujo Bauer. 2014. Android taint flow analysis for app sets. In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis (SOAP’14). ACM, New York, NY, 1--6.

Digital Library

[53]

Patrick Lam, Eric Bodden, Ondrej Lhoták, and Laurie Hendren. 2011. The soot framework for Java program analysis: A retrospective. In Proceedings of the Cetus Users and Compiler Infrastructure Workshop (CETUS’11).

[54]

Ondřej Lhoták and Laurie Hendren. 2003. Scaling Java points-to analysis using SPARK. In Proceedings of the 12th International Conference on Compiler Construction (CC’03). 153--169.

Digital Library

[55]

Chieh-Jan Mike Liang, Nicholas D. Lane, Niels Brouwers, Li Zhang, Börje F. Karlsson, Hao Liu, Yan Liu, Jun Tang, Xiang Shan, Ranveer Chandra, and Feng Zhao. 2014. Caiipa: Automated large-scale mobile app testing through contextual fuzzing. In Proceedings of the 20th Annual International Conference on Mobile Computing and Networking (MobiCom’14). ACM, New York, NY, 519--530.

Digital Library

[56]

Shuying Liang, Andrew W. Keep, Matthew Might, Steven Lyde, Thomas Gilray, Petey Aldous, and David Van Horn. 2013. Sound and precise malware analysis for Android via pushdown reachability and entry-point saturation. In Proceedings of the 3rd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’13). ACM, New York, NY, 21--32.

Digital Library

[57]

Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. 2015. In defense of soundiness: A manifesto. Communications of the ACM 58, 2, 44--46.

Digital Library

[58]

Benjamin Livshits, John Whaley, and Monica S. Lam. 2005. Reflection analysis for Java. In Proceedings of the 3rd Asian Conference on Programming Languages and Systems (APLAS’05). 139--160.

Digital Library

[59]

Kangjie Lu, Zhichun Li, Vasileios P. Kemerlis, Zhenyu Wu, Long Lu, Cong Zheng, Zhiyun Qian, Wenke Lee, and Guofei Jiang. 2015. Checking more and alerting less: Detecting privacy leakages via enhanced data-flow analysis and peer voting. In Proceedings of the Network and Distributed System Security Symposium (NDSS’15).

[60]

Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: Statically vetting Android apps for component hijacking vulnerabilities. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12). 229--240.

Digital Library

[61]

Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An input generation system for Android apps. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE’13). ACM, New York, NY, 224--234.

Digital Library

[62]

Riyadh Mahmood, Nariman Mirzaei, and Sam Malek. 2014. EvoDroid: Segmented evolutionary testing of Android apps. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’14). ACM, New York, NY, 599--609.

Digital Library

[63]

D. Maier, T. Muller, and M. Protsenko. 2014. Divide-and-conquer: Why Android malware cannot be stopped. In Proceedings of the 2014 9th International Conference on Availability, Reliability, and Security (ARES’14). 30--39.

Digital Library

[64]

Simone Mutti, Yanick Fratantonio, Antonio Bianchi, Luca Invernizzi, Jacopo Corbetta, Dhilung Kirat, Christopher Kruegel, and Giovanni Vigna. 2015. BareDroid: Large-scale analysis of Android apps on real devices. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC’15). ACM, New York, NY, 71--80.

Digital Library

[65]

Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and Xiaofeng Wang. 2015. UIPicker: User-input privacy identification in mobile applications. In Proceedings of the 24th USENIX Security Symposium (USENIX Security’15). 993--1008.

Digital Library

[66]

Sashank Narain, Amirali Sanatinia, and Guevara Noubir. 2014. Single-stroke language-agnostic keylogging using stereo-microphones and domain specific machine learning. In Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’14). ACM, New York, NY, 201--212.

Digital Library

[67]

Nicolas Nethercote. 2004. Dynamic Binary Analysis and Instrumentation. Ph.D. Dissertation. University of Cambridge. http://valgrind.org/docs/phd2004.pdf.

[68]

Patrick Northcraft. 2014. Android: The Most Popular OS in the World. Retrieved September 24, 2016, from http://www.androidheadlines.com/2014/02/android-popular-os-world.html.

[69]

Damien Octeau, Somesh Jha, and Patrick McDaniel. 2012. Retargeting Android applications to Java bytecode. In Proceedings of the ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’12).

Digital Library

[70]

Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective inter-component communication mapping in Android with EPIC: An essential step towards holistic security analysis. In Proceedings of the USENIX Security Symposium.

Digital Library

[71]

Rohan Padhye and Uday P. Khedker. 2013. Interprocedural data flow analysis in soot using value contexts. In Proceedings of the ACM International Workshop on State of the Art in Java Program Analysis (SOAP’13).

Digital Library

[72]

ProGuard. ProGuard Home Page. 2002. Retrieved September 24, 2016, from http://proguard.sourceforge.net/.

[73]

Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, and Eric Bodden. 2016. Harvesting runtime values in Android applications that feature anti-analysis techniques. In Proceedings of the Network and Distributed System Security Symposium (NDSS’16).

[74]

Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: Automatic large-scale dynamic analysis of Android applications. In Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY’13).

Digital Library

[75]

Bradley Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, and Kevin R. B. Butler. 2015. Mo(bile) money, mo(bile) problems: Analysis of branchless banking applications in the developing world. In Proceedings of the 24th USENIX Security Symposium (USENIX Security’15).

Digital Library

[76]

Thomas Reps, Susan Horwitz, and Mooly Sagiv. 1995. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL’95).

Digital Library

[77]

Martin C. Rinard. 2001. Analysis of multithreaded programs. In Proceedings of the 8th International Symposium on Static Analysis (SAS’01). 1--19.

Digital Library

[78]

Sanae Rosen, Zhiyun Qian, and Z. Morely Mao. 2013. AppProfiler: A flexible method of exposing privacy-related behavior in Android applications to end users. In Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy (CODASPY’13). ACM, New York, NY, 221--232.

Digital Library

[79]

Shmuel Sagiv, Thomas W. Reps, and Susan Horwitz. 1995. Precise interprocedural dataflow analysis with applications to constant propagation. In Proceedings of the 6th International Joint Conference CAAP/FASE on Theory and Practice of Software Development (TAPSOFT’95). 651--665.

Digital Library

[80]

Shashi Shekhar, Michael Dietz, and Dan S. Wallach. 2012. AdSplit: Separating smartphone advertising from applications. In Proceedings of the USENIX Security Symposium.

Digital Library

[81]

Feng Shen, Namita Vishnubhotla, Chirag Todarka, Mohit Arora, Babu Dhandapani, Steven Y. Ko, and Lukasz Ziarek. 2014. Information flows as a permission mechanism. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE’14).

Digital Library

[82]

Yannis Smaragdakis, George Balatsouras, George Kastrinis, and Martin Bravenboer. 2015. More Sound Static Handling of Java Reflection. Springer, 485--503.

[83]

Yannis Smaragdakis, Martin Bravenboer, and Ondrej Lhoták. 2011. Pick your contexts well: Understanding object-sensitivity. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’11). ACM, New York, NY, 17--30.

Digital Library

[84]

Yannis Smaragdakis, George Kastrinis, and George Balatsouras. 2014. Introspective analysis: Context-sensitivity, across the board. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’14). ACM, New York, NY, 485--495.

Digital Library

[85]

Statista. 2015. Number of Available Applications in the Google Play Store from December 2009 to February 2016. Retrieved September 24, 2016, from http://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/.

[86]

D. Sufatrio, J. J. Tan, T.-W. Chua, and V. L. L. Thing. 2015. Securing Android: A survey, taxonomy, and challenges. ACM Computing Surveys 47, 4, 58:1--58:45.

Digital Library

[87]

Mingshen Sun, Mengmeng Li, and John C. S. Lui. 2015. DroidEagle: Seamless detection of visually similar Android apps. In Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’15). ACM, New York, NY, 12.

Digital Library

[88]

Kimberly Tam, Aristide Fattori, Salahuddin J. Khan, and Lorenzo Cavallaro. 2015. CopperDroid: Automatic reconstruction of Android malware behaviors. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS’15).

[89]

Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 1999. Soot: A Java bytecode optimization framework. In Proceedings of the Conference of the Centre for Advanced Studies on Collaborative Research (CASCON’99).

Digital Library

[90]

Timothy Vidas and Nicolas Christin. 2014. Evading Android runtime analysis via sandbox detection. In Proceedings of the 9th ACM Symposium on Information, Computer, and Communications Security (ASIA CCS’14). ACM, New York, NY, 447--458.

Digital Library

[91]

Nicolas Viennot, Edward Garcia, and Jason Nieh. 2014. A measurement study of Google Play. In Proceedings of the 2014 ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS’14). ACM, New York, NY, 221--233.

Digital Library

[92]

Wala. 2006. WALA. Retrieved September 24, 2016, from https://github.com/wala/WALA.

[93]

Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby Robby. 2014. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’14).

Digital Library

[94]

Zheng Wei and David Lie. 2014. LazyTainter: Memory-efficient taint tracking in managed runtimes. In Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’14). ACM, New York, NY, 27--38.

Digital Library

[95]

Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, and Xuxian Jiang. 2013. The impact of vendor customizations on Android security. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’13). 623--634.

Digital Library

[96]

Mingyuan Xia, Lu Gong, Yuanhao Lyu, Zhengwei Qi, and Xue Liu. 2015. Effective real-time Android application auditing. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[97]

Xusheng Xiao, Nikolai Tillmann, Manuel Fahndrich, Jonathan de Halleux, and Michal Moskal. 2012. User-aware privacy control via extended static-information-flow analysis. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering.

Digital Library

[98]

Zhi Xu, Kun Bai, and Sencun Zhu. 2012. TapLogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors. In Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WISEC’12). ACM, New York, NY, 113--124.

Digital Library

[99]

Lok Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In Proceedings of the USENIX Security Symposium.

Digital Library

[100]

Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X. Sean Wang. 2013. AppIntent: Analyzing sensitive data transmission in Android for privacy leakage detection. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). ACM, New York, NY, 1043--1054.

Digital Library

[101]

Fangfang Zhang, Heqing Huang, Sencun Zhu, Dinghao Wu, and Peng Liu. 2014b. ViewDroid: Towards obfuscation-resilient mobile application repackaging detection. In Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’14). ACM, New York, NY, 25--36.

Digital Library

[102]

Mu Zhang, Yue Duan, Heng Yin, and Zhiruo Zhao. 2014a. Semantics-aware Android malware classification using weighted contextual API dependency graphs. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’14).

Digital Library

[103]

Mu Zhang and Heng Yin. 2014. AppSealer: Automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications. In Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS’14).

[104]

Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X. Sean Wang, and Binyu Zang. 2013. Vetting undesirable behaviors in Android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). ACM, New York, NY, 611--622.

Digital Library

Cited By

Mineau JLalande J(2024)Evaluating the Reusability of Android Static Analysis ToolsReuse and Software Quality10.1007/978-3-031-66459-5_10(153-170)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1007/978-3-031-66459-5_10
Kishnani UNoah NDas SDewri R(2023)Assessing Security, Privacy, User Interaction, and Accessibility Features in Popular E-Payment ApplicationsProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617102(143-157)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617102
Inayoshi HKakei SSaito S(2023)Execution Recording and Reconstruction for Detecting Information Flows in Android AppsIEEE Access10.1109/ACCESS.2023.324072411(10730-10750)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3240724
Show More Cited By

Index Terms

*droid: Assessment and Evaluation of Android Application Analysis Tools
1. Security and privacy
  1. Software and application security
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis
        Dynamic analysis

Recommendations

TruZ-Droid: Integrating TrustZone with Mobile Operating System
MobiSys '18: Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services

Mobile devices today provide a hardware-protected mode called Trusted Execution Environment (TEE) to help protect users from a compromised OS and hypervisor. Today TEE can only be leveraged either by vendor apps or by developers who work with the ...
X-Droid: A Quick and Easy Android Prototyping Framework with a Single-App Illusion
UIST '19: Proceedings of the 32nd Annual ACM Symposium on User Interface Software and Technology

We present X-Droid, a framework that provides Android app developers an ability to quickly and easily produce functional prototypes. Our work is motivated by the need for such ability and the lack of tools that provide it. Developers want to produce a ...
My DROID: (Covers DROID 3/Milestone 3, DROID Pro, DROID X2, DROID Incredible 2/Incredible S, and DROID CHARGE) (2nd Edition)

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 49, Issue 3

September 2017

658 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/2988524

Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering/University of Florida/Gainesville, FL

Issue’s Table of Contents

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2016

Accepted: 01 August 2016

Revised: 01 August 2016

Received: 01 March 2016

Published in CSUR Volume 49, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Research
Refereed

Funding Sources

National Science Foundation

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

51
Total Citations
View Citations
2,113
Total Downloads

Downloads (Last 12 months)190
Downloads (Last 6 weeks)20

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mineau JLalande J(2024)Evaluating the Reusability of Android Static Analysis ToolsReuse and Software Quality10.1007/978-3-031-66459-5_10(153-170)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1007/978-3-031-66459-5_10
Kishnani UNoah NDas SDewri R(2023)Assessing Security, Privacy, User Interaction, and Accessibility Features in Popular E-Payment ApplicationsProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617102(143-157)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617102
Inayoshi HKakei SSaito S(2023)Execution Recording and Reconstruction for Detecting Information Flows in Android AppsIEEE Access10.1109/ACCESS.2023.324072411(10730-10750)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3240724
Zhang JWang YQiu LRubin J(2022)Analyzing Android Taint Analysis Tools: FlowDroid, Amandroid, and DroidSafeIEEE Transactions on Software Engineering10.1109/TSE.2021.310956348:10(4014-4040)Online publication date: 1-Oct-2022
https://doi.org/10.1109/TSE.2021.3109563
Li AXue SLi XZhang LQian J(2022)AppDNA: Profiling App Behavior via Deep-Learning Function Call GraphsIEEE Transactions on Emerging Topics in Computing10.1109/TETC.2020.302633510:1(414-427)Online publication date: 1-Jan-2022
https://doi.org/10.1109/TETC.2020.3026335
Piskachev GDziwok SKoch TMerschjohann SBodden E(2022)How far are German companies in improving security through static program analysis tools?2022 IEEE Secure Development Conference (SecDev)10.1109/SecDev53368.2022.00015(7-15)Online publication date: Oct-2022
https://doi.org/10.1109/SecDev53368.2022.00015
Inayoshi HKakei SSaito S(2022)Plug and Analyze: Usable Dynamic Taint Tracker for Android Apps2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)10.1109/SCAM55253.2022.00008(24-34)Online publication date: Oct-2022
https://doi.org/10.1109/SCAM55253.2022.00008
El-Zawawy MFaruki PConti M(2022)Formal model for inter-component communication and its security in androidComputing10.1007/s00607-022-01069-2104:8(1839-1865)Online publication date: 1-Aug-2022
https://dl.acm.org/doi/10.1007/s00607-022-01069-2
Nirumand AZamani BTork‐Ladani BKlein JBissyandé T(2022)A model‐based framework for inter‐app Vulnerability analysis of Android applicationsSoftware: Practice and Experience10.1002/spe.317153:4(895-936)Online publication date: 23-Nov-2022
https://doi.org/10.1002/spe.3171
Menahil AIqbal WIftikhar MShahid WMansoor KRubab S(2021)Forensic Analysis of Social Networking Applications on an Android SmartphoneWireless Communications & Mobile Computing10.1155/2021/55675922021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/5567592
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents