research-article

Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps

Authors:

RobbyAuthors Info & Claims

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 1329 - 1341

https://doi.org/10.1145/2660267.2660357

Published: 03 November 2014 Publication History

Abstract

We propose a new approach to conduct static analysis for security vetting of Android apps, and built a general framework, called Amandroid for determining points-to information for all objects in an Android app in a flow- and context-sensitive way across Android apps components. We show that: (a) this type of comprehensive analysis is completely feasible in terms of computing resources needed with modern hardware, (b) one can easily leverage the results from this general analysis to build various types of specialized security analyses -- in many cases the amount of additional coding needed is around 100 lines of code, and (c) the result of those specialized analyses leveraging Amandroid is at least on par and often exceeds prior works designed for the specific problems, which we demonstrate by comparing Amandroid's results with those of prior works whenever we can obtain the executable of those tools. Since Amandroid's analysis directly handles inter-component control and data flows, it can be used to address security problems that result from interactions among multiple components from either the same or different apps. Amandroid's analysis is sound in that it can provide assurance of the absence of the specified security problems in an app with well-specified and reasonable assumptions on Android runtime system and its library.

References

[1]

Android documentation: Activity. http://developer.android.com/reference/android/app/Activity.html.

[2]

Android documentation: Intent and Intent Filter.http://developer.android.com/guide/components/intents-filters.html.

[3]

Google Bouncer. http://googlemobile.blogspot.com/2012/02/android-and-security.html.

[4]

WALA documentation: CallGraph. http://wala.sourceforge.net/wiki/index.php/UserGuide:CallGraph.

[5]

A. W. Appel. Modern Compiler Implementation in Java. Cambridge University Press, 1998.

Digital Library

[6]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. l. Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the ACM PLDI, 2014.

Digital Library

[7]

K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing the Android permission specification. In Proceedings of the ACM CCS, 2012. 1339

Digital Library

[8]

E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in Android. In Proceedings of the ACM Mobisys, 2011.

Digital Library

[9]

M. Conti, B. Crispo, E. Fernandes, and Y. Zhauniarovich. CRePE: A system for enforcing ne-grained context-related policies on Android. Information Forensics and Security, IEEE Transactions on, 7(5):1426{1438, 2012.

[10]

M. B. Dwyer, J. Hatcli, M. Hoosier, V. Ranganath, Robby, and T. Wallentine. Evaluating the effectiveness of slicing for model reduction of concurrent object-oriented programs. In Proceedings of the TACAS, 2006.

Digital Library

[11]

M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An empirical study of cryptographic misuse in Android applications. In Proceedings of the ACM CCS, 2013.

Digital Library

[12]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the USENIX OSDI, 2010.

Digital Library

[13]

ENISA. Smartphone secure development guidelines. http://www.enisa.europa.eu/activities/Resilience-and- CIIP/critical-applications/smartphone-security- 1/smartphone-secure-development-guidelines, 2011.

[14]

S. Fahl, M. Harbach, T. Muders, L. Baumgartner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In Proceedings of the ACM CCS, 2012.

Digital Library

[15]

A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In Proceedings of the ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, 2011.

Digital Library

[16]

S. Fink and J. Dolby. WALA{The TJ Watson Libraries for Analysis. http://wala.sf.net/, 2012.

[17]

C. Fritz, S. Arzt, S. Rasthofer, E. Bodden, A. Bartel, J. Klein, Y. le Traon, D. Octeau, and P. McDaniel. Highly precise taint analysis for Android application. Technical report, EC SPRIDE, 2013.

[18]

C. Gibler, J. Crussell, J. Erickson, and H. Chen. AndroidLeaks: Automatically detecting potential privacy leaks in Android applications on a large scale. In Proceedings of the International Conference on Trust and Trustworthy Computing, 2012.

Digital Library

[19]

M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock Android smartphones. In Proceedings of the NDSS, 2012.

[20]

M. C. Grace, W. Zhou, X. Jiang, and A. R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2012.

Digital Library

[21]

D. Hardt. The OAuth 2.0 authorization framework. 2012.

[22]

O. Lhot--ak and L. Hendren. Scaling Java points-to analysis using Spark. In Proceedings of the Compiler Construction, 2003.

Digital Library

[23]

L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. CHEX: Statically vetting Android apps for component hijacking vulnerabilities. In Proceedings of the ACM CCS, 2012.

Digital Library

[24]

F. Nielson, H. R. Nielson, and C. Hankin. Principles of program analysis. Springer, 1999.

Digital Library

[25]

D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. Le Traon. Effective inter-component communication mapping in Android with Epicc: An essential step towards holistic security analysis. In Proceedings of the USENIX Security Symposium, 2013.

Digital Library

[26]

M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically rich application-centric security in Android. Security and Communication Networks, 5(6):658--673, 2012.

Digital Library

[27]

N. J. Percoco and S. Schulte. Adventures in Bouncerland. Black Hat USA, 2012.

[28]

T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural data flow analysis via graph reachability. In Proceedings of the ACM Symposium on Principles of Programming Languages, 1995.

Digital Library

[29]

M. Sagiv, T. Reps, and S. Horwitz. Precise interprocedural data flow analysis with applications to constant propagation. Theoretical Computer Science, 167(1):131--170, 1996.

Digital Library

[30]

S. Smalley and R. Craig. Security enhanced (SE) Android: Bringing flexible MAC to Android. In Proceedings of the NDSS, 2013.

[31]

D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan. SMV-HUNTER: Large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android apps. In Proceedings of the NDSS, 2014.

[32]

R. Vallee-Rai, E. Gagnon, L. Hendren, P. Lam, P. Pominville, and V. Sundaresan. Optimizing Java bytecode using the Soot framework: Is it feasible? In Proceedings of the Compiler Construction, 2000.

Digital Library

[33]

N. Viennot, E. Garcia, and J. Nieh. A measurement study of Google Play. In Proceedings of the ACM SIGMETRICS, 2014.

Digital Library

[34]

R. Wang, L. Xing, X. Wang, and S. Chen. Unauthorized origin crossing on mobile platforms: Threats and mitigation. In Proceedings of the 2013 ACM CCS, 2013.

Digital Library

[35]

R. Xu, H. Saïdi, and R. Anderson. Aurasium: Practical policy enforcement for Android applications. In Proceedings of the USENIX Security Symposium, 2012.

Digital Library

[36]

Y. Zhou and X. Jiang. Dissecting Android malware: Characterization and evolution. In Proceedings of the IEEE SP, 2012.

Digital Library

[37]

Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In Proceedings of the NDSS, 2012.

Cited By

Hu YKuang WZhe JLi WLi KZhang JHu Q(2024)SIAT: A systematic inter-component communication real-time analysis technique for detecting data leak threats on AndroidJournal of Computer Security10.3233/JCS-22004432:3(291-317)Online publication date: 17-Jun-2024
https://doi.org/10.3233/JCS-220044
Li HShi CLu JLi LXue J(2024)Boosting the Performance of Alias-Aware IFDS Analysis with CFL-Based Environment TransformersProceedings of the ACM on Programming Languages10.1145/36898048:OOPSLA2(2633-2661)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689804
Samhi JJust RBissyandé TErnst MKlein JChristakis MPradel M(2024)Call Graph Soundness in Android Static AnalysisProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680333(945-957)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680333
Show More Cited By

Index Terms

Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps
1. General and reference
  1. Cross-computing tools and techniques
    1. Validation
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Empirical software validation
      2. Process validation

Recommendations

Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps

We present a new approach to static analysis for security vetting of Android apps and a general framework called Amandroid. Amandroid determines points-to information for all objects in an Android app component in a flow and context-sensitive (user-...
Poster: Android Whole-System Control Flow Analysis for Accurate Application Behavior Modeling
MobiSys '16 Companion: Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services Companion

Android, the modern operating system for smartphones, together with its millions of apps, has become an important part of human life. There are many challenges to analyzing them. It is important to model the mobile systems in order to analyze the ...
Adoption of third-party libraries in mobile apps: a case study on open-source Android applications
MOBILESoft '22: Proceedings of the 9th IEEE/ACM International Conference on Mobile Software Engineering and Systems

Third-party libraries are frequently adopted in open-source Android applications (apps). These libraries are essential to the Android app development ecosystem as they often provide vital functionality that would take significant development time to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

November 2014

1592 pages

ISBN:9781450329576

DOI:10.1145/2660267

General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 3 - 7, 2014

Arizona, Scottsdale, USA

Acceptance Rates

CCS '14 Paper Acceptance Rate 114 of 585 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

305
Total Citations
View Citations
2,081
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)3

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hu YKuang WZhe JLi WLi KZhang JHu Q(2024)SIAT: A systematic inter-component communication real-time analysis technique for detecting data leak threats on AndroidJournal of Computer Security10.3233/JCS-22004432:3(291-317)Online publication date: 17-Jun-2024
https://doi.org/10.3233/JCS-220044
Li HShi CLu JLi LXue J(2024)Boosting the Performance of Alias-Aware IFDS Analysis with CFL-Based Environment TransformersProceedings of the ACM on Programming Languages10.1145/36898048:OOPSLA2(2633-2661)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689804
Samhi JJust RBissyandé TErnst MKlein JChristakis MPradel M(2024)Call Graph Soundness in Android Static AnalysisProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680333(945-957)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680333
Ren PZuo CLiu XDiao WZhao QGuo SRoychoudhury APaiva AAbreu RStorey M(2024)DEMISTIFY: Identifying On-device Machine Learning Models Stealing and Reuse Vulnerabilities in Mobile AppsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623325(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623325
Alecci MSamhi JLi LBissyandé TKlein J(2024)Improving Logic Bomb Identification in Android Apps via Context-Aware Anomaly DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.3358979(1-18)Online publication date: 2024
https://doi.org/10.1109/TDSC.2024.3358979
Yeke DIbrahim MTuncay GFarrukh HImran ABianchi ACelik Z(2024)Wear’s my Data? Understanding the Cross-Device Runtime Permission Model in Wearables2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00077(2404-2421)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00077
Cao JGuo FQu Y(2024)JNFuzz-Droid: A Lightweight Fuzzing and Taint Analysis Framework for Android Native Code2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00033(255-266)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00033
Zhang ZMa HWu DGao DYi XChen YWu YJiang L(2024)MtdScout: Complementing the Identification of Insecure Methods in Android Apps via Source-to-Bytecode Signature Generation and Tree-based Layered Search2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00045(724-740)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00045
Li HLu JMeng HCao LLi LGao LGrosser TDubach CSteuwer MXue JOttoni GQuintão Pereira F(2024)Boosting the Performance of Multi-Solver IFDS Algorithms with Flow-Sensitivity OptimizationsProceedings of the 2024 IEEE/ACM International Symposium on Code Generation and Optimization10.1109/CGO57630.2024.10444884(296-307)Online publication date: 2-Mar-2024
https://dl.acm.org/doi/10.1109/CGO57630.2024.10444884
Zhang HLiu DLiu XMa LWang RZhang FSun LZhao F(2024)A Multidimensional Detection Model of Android Malicious Applications Based on Dynamic and Static AnalysisProceedings of the 13th International Conference on Computer Engineering and Networks10.1007/978-981-99-9247-8_2(11-21)Online publication date: 4-Jan-2024
https://doi.org/10.1007/978-981-99-9247-8_2
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten