翻译以原文和在同一文件中前

作者：StevenArzt,SiegfriedRasthofer,ChristianFritz,EricBoddenECSPRIDEAlexandreBar ,JacquesKlein,andYvesLeTraonDamienOcteau,Patrick在这项工作中我们特意介绍FLOWDROID，一个新颖的和高精确度的AndroidAndroid的生命周期模型允许Android框架调用的回调,而上下文,流,领域和对象敏感性允许分析行为能减少错报。新奇的灵活算法帮助FLOWDROID能够同时保持高我们也提出DROIDBENCH,一个开放的测试套件来评估污点分析工具对Android应用程序的有效性和准确性。正如我们展示的通过一组利用DROIDBENCHSecuriBenchMicro做的实验,还有一组知名的安卓测试应用程序,FLOWDROID在检测数据的泄漏,同时保持低误报率方面获得了一个极高的超过了商业工具IBMAppScanSource和FortifySCA所达到的成绩。FLOWDROID从y的500个应用程序的子集中发现了数据，还Share项目中发现了约1000个软件的应用根据最近的一项研究[9],nroid在市场占有的市场份额持续增长,现在已经达到了81%。随着安卓变得无处不在,它们成为一个用户的隐私Fltta.的Anroid软件进行分类[1],发现最主要的一个,的Adroid应用程序泄漏敏感信息如置信息,联系人数据、、等给者。但即使不是的应用程序，即使编写很规范化也可能存在这种泄漏,例如当它们包含库的时候[16]多用程序开发人员将这些库一起打包进程序以为他们的努力获得一些报酬,但很少人完全理解这样做对隐私的影响,他们也没有能够完全控制这些库函数的过程。公共库提取私人信息,以此来识别一个人的唯一标识符(如IME,污染分析通过分析应用程序还有显示潜在的数据流或通过自动化检测工具,然后可以决定是否构成隐私数据。这些方法通过应用程序从一个然后数据流直到它到达一个给定的污点坑（例如一个方法书写信息到套接们需要从程序抽象输入和粗略估计运行时对象。精确的建模运行时执行对Android应用程序来说特别具有性,这些应用程序都不是独立的应用程序,但地预测应用的控制流,静态分析不仅要模拟生命周期,还必须为系统（例如，GPS传感器）的处理，用户接口等集成化作进一步的回调。我们在这项工源如用户界面上输入字段的文本框。相应的API根据单独的程序代码调用返回对应的内容不能被检测到。相反,它们的检测需要在（manifest）和布局（Layout）XML文件中附加信息的模型。最后还要提一点就是,就像任何用Java编写的应用程序一样,Android应用程序也包含别名和虚拟调度结构。一些典型的Java静态分析机制通过类似于上下文和对象敏感程度处理这些问题。Android框架的本质导致这个问题比往常更加,因为我们发现它显示出非常深的的关系。在这项工作中,FLOWDROID,Android平台的静态污点分析系统,并基于新颖的随需应变的算法,这带来了很高的精度同时保持可接受的性能。FLOWDROID分析应用程序的字节码和配置文件来找到持可接受的性能,FLOWDROID使用精确的随需应变的别名分析。这个分析算法启发于Andromeda[37]但提高了Andromeda的各方面精度。FLOWDROID可用于安全的内部开发的Android应用程序以及协助AndroidSecuriBenchMicro,DROIDBENCH名的包含数据泄漏的应用程序显示,FLOWDROID在寻找数据泄漏获得非常高的分数,DROIDBENCH1.0,FLOWDROID93%的[一步的实验与实际应用将在实践中证实FLOWDROID的效用。FLOWDROID,一个精确的专门针对Android平台的静态污点分析系统,并基一系列的实验证明FLOWDROID的率和精确度大大优于商业工具AppScanSourceFortifyFLOWDROID从y的500个应用程序的子集中发现了数据 Android安全性的必要背景。第三节解释了FLOWDROID安卓系统生命周期模型而第四节提供了实际的污点的重要细节分析。在第五节中,讨论了实现细节和限制,而第六节评估我们先给一个激励的例子,然后解释者有关的工设模型。1中的示例(一个真实的软件[42]程序抽象出的)实现了一个Activity,它是一个Android屏幕的用户界面。应用程序从文本框文本字段(第5行)每当构架重新启动应用程序,当用户单击一个按钮时就通过发送(第24行)。这就构成了一个从字段(源)到API(底)的受污染的数据源。在这个例子时触发。在Android中,器是直接在代码或布局的XML文件中定义的。因此,这段代码中泄漏如果只发生在onRestart()(初始化用户变量)在sendMessage()执行之前被调用。为了避免漏报,污点分析必须正确模拟应用程序生命周期,认识到为了避免误报,分析这个例子必须包含敏感字段:用户对象包含用户名和像字符串连接一类的操作(19行)需要一个定义数据流是否以及如何通过这者模型FLOWDROID可以用来检测数据流,不管是由粗心大意引起的还是具有的意图。在具有的情况下,我们假设以下的者模型。者可以用任意提供一个具有Dalvik字节码的应用程序。通常,者的目标是通过用户[4]授予的广泛权限来泄漏私有数据。FLOWDROID彻底的假设在安装环境和应用程序输入下,者是可以随意篡改的。不论如何FLOWDROID假设者无避Android平台的安全措施或其它支持的通道。我们进一步假设者不使用隐式流[20]数据泄漏。鉴于目前可用的软件,这是一个非常合理的假设。我们在下面解释FLOWDROID的生命周期精确建模，包括点和异步执多 与Java程序不同,Android应用程序没有一个主方法。应用序反而包含许多点,即：由Android框架调的用隐式的方法。Android操作系同种的组件:Activity是单独关注用户操作，Service执行任务，Content提供方法启动或停止组件,暂停或恢复它。例如,它可以根据内存消耗停止应用程序,后来当用户返回时再重启它[17]。这导致当构造调用图时,Android分析不能简单能的转换都必须精确建模。为了应对这个问题,FLOWDROID构造一个自定义虚拟主方法模拟生命周期。在之后的文章中解释如何构建这个方法。异步执行组 初可见的,然后根据用户输入启动其它活动之一。服务作为任务并行运行。Flowdroid模型假设所有组件(活动,服务等)在一个应用程序执行可以任意的顺序运行(包括重复的)。一些静态分析是路径敏感,即：分别考虑每个可能的程序路径。在这样的情况下,考虑所有可能的排列次序会非常浪费。FLOWDROID以的分析框架。FLOWDROID可以生成并有效地分析一个虚拟的主要方法以及每回调函数Android操作系统允许应用程序回调函数的各种类型的信例如识别这一种情况应用程序的位置数据传递到框架给回调函数作为一个测,这就是为什么FLOWDROID假设所有的回调函数可以以任何可能的顺序被调用。然而,回调函数只能发生在父组件(如活动)正在运行时。为了更加精确，FLOWDROID因此必须联系各个组件(活动、服务等)与他们的回调。例如,Android平台有两种不同的方法来回调函数的处理程序。首先,一个活动统方法。FLOWDROID支持这两种方式。此外,对于软件，者通过码。FLOWDROID承认这样的重写方法,类似于正常回调处理如单击按钮的在应用程序代码中寻找的回调函数,FLOWDROID首先计算每个组件调用图,从实现各自组件类的生命周期方法(onStop()，onCreate()等)开始。扫描图使用一个众所周知的回调接口作为一个正式的参数类型来扫描Android系统调用间。一旦虚拟主要方法成功构造,FLOWDROID计算最后一个使用这种方法的调用图作为应用程序的点。XML文件中定义的回调函数,XML文件分别使用各自的布局的唯一有效的活动。FLOWDROID分析每个活动,XML文件中过的，然后使用这些信息来创建映射。一个分析的主要是如何实现高的对象灵敏度来效地解决现象。图（一个真实案例的抽象）FLOWDROID结合向前的污点分析和按需向后的象x.f。第二步仍在做w和x.f的污点。最重要的是第三步：每当一个堆对名b.f被发现作为一个普通的污点向前。无论向前还是向后都要分析使用的路径。一个路径是从x.f.g简单的局部变量或参数,例如,x在FLOWDROID,隐式地描述了路径的对象调用转换路径用实际的调用的上下文参数正式取代;包括返回值存在的方法每当污染值分配给一个堆地址比如一个字段或一个数组,FLOWDROID向后，FLOWDROI名直到找到第9行的out.f。在这时候，从这里启动一个新的向前的污点传播，最终发现在11行。向后的分析寻找也将继续向后分析，然而在主函数中发现别名p.f，然后根据第4行的第二个污点数据流开始向前分析。 算法1和算法2显示了向前和向后分析处理器的主要循环这个算法表示假设读写器和原始的ＩＦＤＳ算法［３２］很相似会变成污点。特别是分析不应该报出在第6行的，因为它相应的taintIt-call只是字符串“public。3显示了一个简单实现如何会导致这样的误报,FLOWDROID如何从IFDS框架下熟悉的典型流功能符号。这里的黑色节点代表数据流实际之前/之后各自的而黑色和红色的边代表数据流。0是同义反复的现象且总是真实的,x.fx.f的任务时,向前分析会产生产生向后的别名分析实例,显0x.f（虚线）它。这个实现,虽然简单,而且不精确，而别名x.f无论如何都是被污染的。在列表2中,这可能导致分析p2.f时错误报告。正确的方式是向后注入到分析的背景下提出:FLOWDROID查找x.f的“路径”,IFDS算法作为一个附加的计算总结。然后整个边缘注入到向后的解算器(参见算法1,16行)上下文注入两种方式。流敏感AndromedaFLOWDROID这种随需别名分析的sink。实际上，FLOWDROID也有我们上面描述分析的同样问题：在第都报告p2.f是。FLOWDROIDSoot框架，一个精确分析的重要先决条件。尤其是中架构4FLOWDROID的架构。Androidapk周期中搜索回调方法以及调用的源和底。接下来,FLOWDROID从列表的生命周期和回调方法生成虚拟主要方法。FLOWDROID上有具体的可用的源和底的列表。最后,FLOWDROID汇报所有发现的从源到底的流。本地调用Java和Android平台支持调用用C一个合理的默认值调用参数和返回值如果至少一个参数是被污染的。这样子虽局限FLOWDROID静态分析工具一样具有一些固有的局限性。比如，FLOWDROID只有当它们的FLOWDROID也忽略多线程:它给未来工作的一个很大的。我们介绍了一个面向Android应用程序的高度精准的静态污点分析工具FLOWDROID。不同于以往的方法,FLOWDROIDandroid的应用程序FLOWDROID保证效率的同时还有强劲的上下文和对象敏感性。为了更加有效地评估这一分析工具，我们采用了DROOID组件并与商业软件的查找精确度和86%的率，大大高于其他两个软件。[1]share,aug2013. IBMRationalAppScan,Apr.2013.htt Fortify360SourceCodeyzer(SCA),Apr. A.Bar,J.Klein,Y.LeTraon,andM.Monperrus.Automaticallysecuringpermission-basedsoftwarebyreducingtheattacksurface:anapplicationtoandroid.InASE2012,pages274–277,2012.A.Bar,J.Klein,Y.LeTraon,andM.Monperrus.Dexpler:convertingandroiddalvikbytecodetojimpleforstaticysiswithsoot.InProceedingsoftheACMSIGNInternationalWorkshoponStateoftheArtinJavaProgramysis,SOAP’12,pages27–38,L.Batyuk,M.Herpich,S.Camtepe,K.Raddatz,A.-D.Sidt,andS.Albayrak.Usingstaticysisforautomaticassessmentandmitigationofunwantedandmaliciousactivitieswithinandroidapplications.InMaliciousandUnwantedSoftware(MALWARE),20116thInternationalConferenceon,pages66–72,E.Bodden.Inter-proceduraldata-flow ysiswithifds/ideandsoot.InProceedingsoftheACMSIGNInternationalWorkshoponStateoftheArtinJavaProgram ysis,SOAP’12,pages3–8,2012.E.Bodden,A.Sewe,J.Sinschek,H.Oueslati,andM.Mezini.Tamingreflection:Aidingstaticysisinthepresenceofreflectionandcustomclassloaders.InICSE’11:InternationalConferenceonSoftwareEngineering,pages241–250.ACM,May2011I.D.Corporation.Worldwidequarterlyphonetracker3q12,Nov. I.Dillig,T.Dillig,andA.Aiken.Precisereasoningforprogramsusingontainers.InProceedingsofthe38thannualACMSIGN-SIGACTsymposiumonPrinciplesofprogramminglanguages,POPL’11,pages187–200,2011.W.Enck,P.Gilbert,B.gonChun,L.P.Cox,J.Jung,P.McDaniel,A.Sheth.Taintdroid:Aninformation-flowtrackingsystemforrealtimeprivacymonitoringonsmartphones.InR.H.Arpaci-DusseauandB.Chen,editors,OSDI,pages393–407.USENIXAssociation,2010. A.P.Felt,M.Finifter,E.Chin,S.Hanna,andD.Wagner.Asurveyofmalwareinthewild.InProceedingsofthe1stACMworkshoponSecurityandprivacyinsmartphonesanddevices,SPSM’11,pages3–14,NewYork,NY,USA,2011.ACM..URL C.Fritz,S.Arzt,S.Rasthofer,E.Bodden,A.Bar,J.Klein,Y.leTraon,D.Octeau,andP.McDaniel.Highlyprecisetaintysisforandroidapplications.TechnicalReportTUD-CS-2013-0113,ECSPRIDE,May2013.URL. A.P.Fuchs,A.Chaudhuri,andJ.S.Foster.Scandroid:Automatedsecuritycertificationofandroidapplications. C.Gibler,J.Crussell,J.Erickson,andH.Chen.Androidleaks:automaticallydetectingpotentialprivacyleaksinandroidapplicationsonalargescale.InProceedingsofthe5thinternationalconferenceonTrustandTrustworthyComputing,TRUST’12,pages291–307,2012. M.C.Grace,W.Zhou,X.Jiang,andA.-R.Sadeghi.Unsafeexposureanalysisofin-appadvertisements.InProceedingsofthefifthACMconferenceonSecurityandPrivacyinWirelessandNetworks,WISEC’12,pages101–112,NewYork,NY,USA,2012.ACM..URLhttp://d G.Inc.Applicationfundamentals.2013.URL. G.KastrinisandY.Smaragdakis.Efficientandeffectivehandlingofexceptionsinjavapoints-to ysis.InR.JhalaandK.D.Bosschere,editors,CC,volume7791ofLectureNotesinComputerScience,pages41–60.Springer,2013. J.Kim,Y.Yoon,K.Yi,andJ.Shin.ScanDal:Static yzerfordetectingprivacyleaksinandroidapplications.InH.Chen,L.Koved,andD.S.Wallach,editors,MoST2012:Security2012,LosAlamitos,CA,USA,May2012.IEEE. D.King,B.Hicks,M.Hicks,andT.Jaeger.Implicitflows:Can’tlivewith‘em,can’tlivewithout‘em.InProceedingsofthe4thInternationalConferenceonInformationSystemsSecurity,ICISS’08,pages56–70,Berlin,Heidelberg,2008.Springer-Verlag.. P.Lam,E.Bodden,O.Lhotak,andL.Hendren.Thesootframeworkforjavaprogram ysis:aretrospective.InCetusUsersandCompilerInfastructureWorkshop(CETUS2011),Oktober2011. O.Lhot´akandL.Hendren.Scalingjavapoints-to ysisusingspark.InG.Hedin,editor,CompilerConstruction,volume2622ofLNCS,pages169.SpringerBerlinHeidelberg,2003. B.Livshits.Securibenchmicro,Mar.2013. L.Lu,Z.Li,Z.Wu,W.Lee,andG.Jiang.Chex:staticallyvettingandroidappsforcomponenthijackingvulnerabilities.InCCS2012,pages229–240, C.MannandA.Starostin.Aframeworkforstaticdetectionofprivacyleaksinandroidapplications.InProceedingsofthe27thAnnualACMSymposiumonAppliedComputing,SAC’12,pages1457–1462,2012. N.A.Naeem,O.Lhot´ak,andJ.Rodriguez.Practicalextensionstotheifdsalgorithm.InCompilerConstruction2010,pages124–144,2010.[27]D.Octeau,P.McDaniel,S.Jha,A.Bar,E.Bodden,J.Klein,andY.L.Traon.Effective ponentcommunicationmapinandroid:Anessentialsteptowardsholisticsecurity ysis.InUSENIXSecuritySymposium2013,Aug.2013.Paladion.Insecurebanktestapp. N.J.PercocoandS.Schulte.Adventuresinbouncerland.BlackhatUSA,2 S.Rasthofer,S.Arzt,andE.Bodden.Amachine-learningapproachforclassifyingandcategorizingandroidsourcesandsinks.In2014NetworkandDistributedSystemSecuritySymposium(NDSS),Feb.2014.URLw.bodden.de/pubs/rab14classifying.pdf.Toappear. A.Reina,A.Fattori,andL.Cavallaro.Asystemcall-centricysisandstimulationtechniquetoautomaticallyreconstructandroidmalwarebehaviors.InEUROSEC,Prague,CzechRepublic,April2013. T.Reps,S.Horwitz,andM.Sagiv.Preciseinterproceduraldataflowysisviagraphreachability.InPOPL’95,pages49–61,1995. A.Rountev,M.Sharp,andG.Xu.Idedataflow ysisinthepresenceoflargeobject-orientedlibraries.InCompilerConstruction,volume4959ofLNCS,pages53–68.Springer,2008. M.Sagiv,T.Reps,andS.Horwitz.Preciseinterproceduraldataflowysiswithapplicationstoconstantpropagation.InTAPSOFT’95,pages131–170,1996. G.Sarwar,O.Mehani,R.Boreli,andM.A.Kaafar.Ontheeffectivenessofdynamictaintysisforprotectingagainstprivateinformationleaksonandroid-baseddevices,2013. M.Sridharan,S.Artzi,M.Pistoia,S.Guarnieri,O.Tripp,andR.Berg.F4F:taintysisofframework-basedwebapplications.InOOPSLA2011,pages1053–1068,2011.O.Tripp,M.Pistoia,P.Cousot,R.Cousot,andS.Guarnieri.Andromeda:Accurateandscalablesecurityysisofwebapplications.InFASE2013,pages210–225, R.Xu,H.Sa¨ıdi,andR.Anderson.Aurasium:practicalenmentforandroidapplications.InUSENIXSecurity2012,Security’12,pages27–27,Berkeley,CA,USA,2012.USENIXAssociation. L.K.YanandH.Yin.Droidscope:seamlesslyreconstructingtheosanddalviksemanticviewsfordynamicandroidmalwareysis.InUSENIXSecurity2012,Security’12,pages29–29,Berkeley,CA,USA,2012.USENIXAssociation. Z.YangandM.Yang.Leakminer:Detectinformationleakageonandroidwithstatictaintysis.InSoftwareEngineering(WCSE),2012ThirdWorldCongresson,pages101–104,2012. Z.ZhaoandF.Osono.Trustdroid:Preventingtheuseofsmartphonesforinformationleakingincorporatenetworksthroughtheusedofstatic istainttracking.InMaliciousandUnwantedSoftware(MALWARE),20127thInternationalConferenceon,pages135–143,2012. Y.ZhouandX.Jiang.Dissectingandroidmalware:Characterizationandevolution.InProceedingsofthe2012IEEESymposiumonSecurityandPrivacy,SP’12,pages95–109,2012.DFlowDroid:PreciseContext,Flow,Field,Object-sensitiveandLifecycle-awareTaintysisforAndroidAppsDChristianFritz,EricBoddenECfirstName.lastName@ec-

andYvesLeTraonReliabilityandTrust

Today’ssmartphonesareaubiquitoussourceofprivateandconfi-dentialdata.Atthesametime,smartphoneusersaredbycarelesslyprogrammedappsthatleakimportantdatabyaccident,dataintentionally.Whileexistingstatictaint-ysisapproacheshavethepotentialofdetectingsuchdataleaksaheadoftime,allap-proachesforAndroiduseanumberofcoarse-grainapproximationsthatcanyieldhighnumbersofmissedleaksandfalsealarms.InthisworkwethuspresentFLOWDROID,anovelandhighlyprecisestatictaintysisforAndroidapplications.AprecisemodelofAndroid’slifecycleallowstheysistoproperlyhandlecallbacksinvokedbytheAndroidframework,whilecontext,flow,fieldandobject-sensitivityallowstheysistoreducethenumberoffalsealarms.Novelon-demandalgorithmshelpFLOWDROIDmaintainhighefficiencyandprecisionatthesametime.WealsoproposeDROIDBENCH,anopentestsuiteforevaluatingtheeffectivenessandaccuracyoftaint-ysistoolsspecificallyforAndroidapps.AsweshowthroughasetofexperimentsusingSecuriBenchMicro,DROIDBENCH,andasetofwell-knownAn-droidtestapplications,FLOWDROIDfindsaveryhighfractionofdataleakswhilekeetherateoffalsepositiveslow.OnDROIDBENCH,FLOWDROIDachieves93%recalland86%pre-cision,greatlyoutperformingthecommercialtoolsIBMAppScanSourceandFortifySCA.FLOWDROIDsuccessfullyfindsleaksinasubsetof500appsfrom yandabout1,000malwareappsfromtheShareproject.CategoriesandSubjectDescriptorsF.3.2[SemanticsofProgram-mingLanguages]:Programysis;D.4.6[SecurityandProtec-tion]:InformationflowcontrolsPermissiontomakedigitalorhardcopiesofallorpartofthisworkfor alorclassroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributedforprofitorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitationonthefirstpage.CopyrightsforcomponentsofthisworkownedbyothersthanACMmustbehonored. ingwithcreditispermitted.Tocopyotherwise,orrepublish,topostonserversortoredistributetolists,requirespriorspecificpermissionand/orafee.Requestpermissionsfrompermissions@.PLDI’14,June9-112014,Edinburgh,UnitedKingdom.Copyrightc2014ACM978-1-4503-2784-8/14/06...$15.00..

Accordingtoarecentstudy[9],Androidhasseenaconstantlygrowingmarketshareinthephonemarket,whichisnowat81%.WithAndroidphonesbeingubiquitous,they eaal.classifieddifferentkindsofAndroidmalware[12]andfoundthatoneofthemainthreatsposedbymaliciousAndroidapplicationsareprivacyviolationswhichleaksensitiveinformationsuchaslocationinformation,contactdata,pictures,SMSmessages,etc.totheattacker.Butevenapplicationsthatarenotmaliciousandincludesuchlibrariestoobtainsomeremunerationfortheirefforts,butfewofthemfullyunderstandtheirprivacyimplications,noraretheyabletofullycontrolwhichdatatheselibrariesprocess.Commonlibrariesdistillprivateinformationthatidentifiesafortargetedadvertisementsuchasuniqueidentifiers(e.g.,IMEI,MAC-address,etc.),countryorlocationinformation.Taintysesaddressthisproblembyyzingapplicationsandpresentingpotentiallymaliciousdataflowstohumanystsortoautomatedmalware-detectiontoolswhichcanthendecidewhetheraleakactuallyconstitutesaviolation.Theseap-proachestracksensitive“tainted”informationthroughtheapplica-tionbystartingatapre-definedsource(e.g.anAPImethodreturn-inglocationinformation)andthenfollowingthedataflowuntilitreachesagivensink(e.g.amethodwritingtheinformationtoasocket),givingpreciseinformationaboutwhichdatamaybeleakedwhere.Theysescaninspecttheappbothdynamicallyandstati-cally.Dynamicprogramyses,though,requiremanytestrunstoreachappropriatecodecoverage.Moreover,currentmalwarecanrecognizedynamicmonitorsastheyzedappexecutes,causingtheapptoposeasabenignprograminthesesituations.Whilestaticcodeysesdonotsharetheseproblems,theyruntheriskofbeingimprecise,astheyneedto fromprograminputsandtoapproximateruntimeobjects.TheprecisemodelingoftheruntimeexecutionisparticularlychallengingforAndroidapps,asthoseappsarenostand-aloneapplicationsbutareactuallypluginsintotheAndroidframework.Appsconsistofdifferentcomponentswithadistinctlifecycle.Duringanapp’sexecution,theframeworkcallsdifferentcallbackswithintheapp,notifyingitofsystemevents,whichcanstart/pause/resume/shutdowntheappetc.[17].Tobeabletoeffectivelypredicttheapp’scontrolflow,staticysesmustnotonlymodelthislifecycle,butmustalsointegratefurthercallbacksforsystem-eventhandling(e.g.,forphonesensorslikeGPS),UIinction,andothers.Asweshowindedicatedalgorithms.AnotherchallengeisposedbysourcesofTherespectiveAPIcallsreturningtheircontentscannotbedetectedXMLfiles.Lastbutnotleast,likeanyapplicationwritteninJava,TypicalstaticysesforJavahandletheseproblemsthroughsomeexposeextraordinarilydeepaliasingrelationships.Pastdata-flowysisapproachesforAndroid[14,15,24,approximations,usuallycausedbythelackofafaithfullifecyclemodel,cancausetheseysestomissimportantdataflows.Intothepointatwhichtheystopusingtheysistoolsentirely.Inthiswork,wethereforepresentFLOWDROID,anovelstaticandbasedonnovelon-demandalgorithmsthatyieldhighprecisionleaks,eithercausedbycarelessnessorcreatedwithmaliciousintention.Opposedtoearlieryses,FLOWDROIDisthefirststatictaint-ysissystemthatisfullycontext,flow,fieldandlifecycle,includingthecorrecthandlingofcallbacksanduser-definedUIwidgetswithintheapps.Thisdesignizesprecisionandrecall,i.e.,aimsatminimizingthenumberofmissedleakswhilemaintainingacceptableperformance,FLOWDROIDusesabyAndromeda[37]butimprovesoverAndromeda’sintermsofprecision.Wehaveopen-sourcedFLOWDROIDinsummer2013.Thetoolhasalreadybeenpickedupbyseveralresearchgroupsandweareincontactwithaleadingproducerofanti-tools,whonstouseFLOWDROIDproductivelyintheysisbackend.ForusandotherstobeabletomeasurescientificprogressinabletoconductcomparativestudiesofAndroidtaint-ysistools.wethusmakeavailableDROIDBENCH,anovelopen-sourcemicro-benarksuiteforcomparingtheeffectivenessoftaintysesforAndroid.WehavemadeDROIDBENCHavailableonlineinspring2013andknowofseveralresearchgroupswhohaveuseditalreadytocontributefurthermicrobenarkstothesuite[35].appsaswellasassistinthetriageofAndroidmalware.Bothusecasesdemandnotaperfectbutyetareasonablylowrateoffalsepositivesandfalsenegatives.AsetofexperimentswithSecuriBenchMicro,DROIDBENCHandsomewell-knownappscontainingdataleaksshowsthatFLOWDROIDfindsaveryhighOnDROIDBENCH1.0,FLOWDROIDachieves93%recalland86%precision,greatlyoutperformingthecommercialtoolsAppScanconfirmFLOWDROID’sutilityinpractice.

FLOWDROID,thefirstfullycontext,field,objectandflow-sensitivetaintysiswhichconsiderstheAndroidapplicationlifecycleandUIwidgets,andwhichfeaturesanovel,particularlyprecisevariantofanon-demandaliasysis;afullopen-sourceimplementationofDROIDBENCH,anovel,openandcomprehensivemicrobench-marksuiteforAndroidflowyses,ofFLOWDROIDcomparedtothecommercialtoolsAppScanSourceandFortifySCA,andasetofexperimentsapplyingFLOWDROIDtoover500apps yandabout1000malwareappsfromShareprojectourexperimentalresults:Spacelimitationsprecludeusfromincludingsomedetailsnecessarytofullyreproduceourapproach.Wethuspublishan TechnicalReport,[13]whichformalizesFLOWDROID’stransferfunctionsandgivesadditionaldetailsontheimplementation.Thepapercontinuesasfollows.Section2givesamotivatingexampleandex insthenecessarybackgroundonAndroidsecurity.Section3ex inshowFLOWDROIDmodelstheAndroidlifecyclewhileSection4givesimportantdetailsabouttheactualtaintysis.InSection5,thepaperdiscussesimplementationdetailsandlimitations,whileSection6evaluatesFLOWDROID.SectionWestartbygivingamotivatingexampleandthenexintheattackermodelthisworkassumes.TheexampleinListing1( Androidrepresentsascreenintheuserinterface.Theappreadsapasswordfromatextfield(line5)whenevertheframeworkrestartstheapp.Whentheuserclicksonabuttonoftheactivity,theInthisexample,sendMessage()isassociatedwithabuttonintheapp’sUI,whichistriggeredwhentheuserclicksthebutton.InlayoutXMLfile,asisassumedhere.Thus,yzingthesourcecodeonlyoccursifonRestart()iscalled(initializingtheuservariable)beforesendMessage()executes.Toavoidfalsenegatives,ataintysismustmodeltheapplifecyclecorrectly,recognizingthataToavoidfalsepositives,anysisofthisexamplemustbeprivatevalue.Object-sensitivity,whilenotrequiredforthisexample,foundsomecasesrequiringdeepobjectsensitivitytobeabletodeepcallandassignmentchainsoftheAndroidframework.Operationssuchasstringconcatenation(line19)requireamodelTreatingsuchoperationsasnormalmethodcallsandyzingpublicclassLeakageAppextendsActivityprivateUseruser=nlprotectedvoidonRestart

causeofmemorydepletion,andlaterrestartitwhentheuserreturns45678910

EditText username (EditText)findViewById(Ri.username);EditText passwordText (EitStringuname=usernameText.toString();Stringpwd=passwordText.toString();if(!uname.isEmpty()&&!pwd.isEmpty())this.user=newUser(uname,pwd

Instead,allpossibletransitionsintheAndroidlifecyclemustbemodeledprecisely.Tocopewiththisproblem,FLOWDROIDcon-followingweexinhowthismethodisconstructed.AsynchronouslyexecutingcomponentsAnapplicationcancon-//CallbackmethodixpublicvoidsendMessage(Viewview

thoughtheactivitiesrunsequentially,onecannotpre-determinetheirorder.Oneactivitycould,forinstance,bethemainoneinitially26

if(user==null)returnPasswordpwd=user.getpwdStringpwdString=pwd.getPassword();StringobfPwd="";//musttrackprimitivesfor(charc:pwdString.toCharArray())obfPwd+=c+"_";//StringconcatString message "User: +usrgetName()+"|Pwd:"+obfPwd;SmsManagersms=SmsManager.getefault(); null,message,null,null);

bletotheuserandthenlauncheitheroneoftheothersdependingonservices,etc.)insideanapplicationcanruninanarbitrarysequentialFLOWDROIDbasesitsysisonIFDS[32],anysisframe-workwhichisnotpathsensitiveandinsteadjoinsysisresultseveryorderofindividualcomponentlifecyclesandcallbacksispossible;itdoesnotneedtotraverseallpossiblepaths.CallbacksTheAndroidoperatingsystemallowsapplicationstoregistercallbacksforvarioustypesofinformation,e.g.,locationitignorestheoperations’semantics)and,aswefound,isoftenforbiddinglyexpensiveinpractice.AttackermodelFLOWDROIDcanbeusedtodetectdataflowsmaliciousintent.Formaliciouscases,weassumethefollowingattackermodel.Theattackermaysupplyanappwitharbitrarytoleakprivatedatathroughadangerouslybroadsetofpermissionsgrantedbytheuser[4].FLOWDROIDmakessoundassumptionsattackeristotamperwiththoseaswell.FLOWDROIDdoeschannels.Further,weassumethattheattackerdoesnotuseimplicitflows[20]todisguisedataleaks.Giventhecurrentkindofavailablemalware,thisisaveryreasonableassumption.PreciseModellingofInthefollowingweexinFLOWDROID’sprecisemodelingofcomponentsandcallbacks.donothaveamainmethod.Appsinsteadcomprisemanyentryofcomponentsanappdevelopercandefine:activitiesaresingleprovidersdefineadatabase-likestorage,andbroadcastreceiversregisteringitintheAndroidManifest.xmlfileandoverwriting

applicationstoresthelocationdatathattheframeworkpassestothecallbackasaparameter,andlatersendsthisdatatotheInternetwhencallbackscanonlyhappenwhiletheparentcomponent(e.g.activity)(activities,services,etc.)withthecallbackstheyregister.AnactivityyzedbetweentheonResume()andonPause()eventsofthisactivityTherearetwodifferentwaystoregistercallbackhandlersonthetheXMLfilesofanactivity.Alternatively,theycanalsoberegisteredFLOWDROIDsupportsbothways.Additionally,formalwarethereistheriskthatanattackerregistersunedcallbacksbycouldevenbecalledbynativecode.FLOWDROIDrecognizessuchoverwrittenmethods,handlingthemsimilartonormalcallbackhandlerssuchasbuttonclicks.lifecyclemethods(onCreate(),onStop(),etc.)implementedinthecallstoAndroidsystemmethodsthatuseoneofthewell-known554voidmain()7a=newb=a.g;6voidfoo(z){ x=z.g;w=x.f=w}}312 pppppLeakageAppla=newprecisemapbetweencomponentsandcallbacks.Thisdoesnotmainmethodhasbeenconstructed,FLOWDROIDcomputesafinalcallgraphusingthismethodastheapp’sentrypoint.ForcallbacksdefinedinthelayoutXMLfiles,therespectivefileitregisters.Thisinformationisthenusedtocreatethemap.ExampleNotethat,togainalprecision,FLOWDROIDgeneratesanewdummymainmethodforeachappyzed.Eachmainmethodwillonlyinvolvethepartofthelifecyclethat,methodsareonlyinvokedinthecontextsofthecomponentstowhichtheyactuallybelong.Abutton-clickhandler,forinstance,isonlyyzedinthecontextofitsrespectiveactivity.InFigure1weshowthecontrol-flowgraphofthedummymainmethodforourpreviouswiththesendMessagecallback.Inthisfigure,prepresentsanopaquepredicateofwhichweknowthatFLOWDROIDwon’tbeabletoevaluateitstatically.Inresult,theysiswillautomatically sensitivitytoresolvealiasingeffectively.Figure2( areal-worldcase)showshowFLOWDROIDcombinesaforward-taintysisandanon-demandbackward-aliasysistodeducethatb.fistaintedatthesink.Instep,thetaintedvariablewisaheapobjectgetstainted,thebackwardysissearchesupwards

FLOWDROIDmodelsthetaint-ysisproblemwithintheIFDS[32]frameworkforinter-proceduraldistributivesubsetprob-uses.Mostfunctionsarerelativelystandard.Thereisoneimportantsituation,however,inwhichFLOWDROID’sysisdiffersfromofwhichwewillexininSection4.2.Duetospacerestrictionswekeepthedescriptionofflowfunctionsonaninformallevel.Toal-lowotherstoreproduceourap