Abstract
When installing or executing an app on a smartphone, we grant it access to part of our (possibly confidential) data stored in the device. Traditional information-flow analyses aim to detect whether such information is leaked by the app to the external (untrusted) environment. The static analyser we present in this paper goes one step further. Its aim is to trace not only if information is possibly leaked (as this is almost always the case), but also how relevant such a leakage might become, as an under- and over-approximation of the actual degree of values degradation. The analysis captures both explicit dependences and implicit dependences, in an integrated approach. The analyser is built within the Abstract Interpretation framework on top of our previous work on datacentric semantics for verification of privacy policy compliance by mobile applications. Results of the experimental analysis on significant samples of the DroidBench library are also discussed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Traon, Y.L., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI. ACM (2014)
Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: vetting browser extensions for security vulnerabilities. In: USENIX Security. USENIX Association (2010)
Barbon, G., Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O.: Privacy analysis of android apps: implicit flows and quantitative analysis. In: Saeed, K., Homenda, W. (eds.) CISIM 2015. LNCS, vol. 9339, pp. 3–23. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24369-6_1
Bohlender, G., Kulisch, U.W.: Definition of the arithmetic operations and comparison relations for an interval arithmetic. Reliable Comput. 15(1), 36–42 (2011)
Braghin, C., Cortesi, A., Focardi, R.: Control flow analysis of mobile ambients with security boundaries. In: Jacobs, B., Rensink, A. (eds.) FMOODS 2002. ITIFIP, vol. 81, pp. 197–212. Springer, Heidelberg (2002). doi:10.1007/978-0-387-35496-5_14
Calzavara, S., Grishchenko, I., Maffei, M.: Horndroid: practical and sound static analysis of android applications by SMT solving. In: EuroS&P. IEEE (2016)
Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for javascript. SIGPLAN Not. 44(6), 50–62 (2009)
Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O.: Datacentric semantics for verification of privacy policy compliance by mobile applications. In: Jobstmann, B., Leino, K.R.M. (eds.) VMCAI 2016. LNCS, vol. 9583, pp. 61–79. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46081-8_4
Costantini, G., Ferrara, P., Cortesi, A.: Static analysis of string values. In: Butler, M., Conchon, S., Zaïdi, F. (eds.) ICFEM 2015. LNCS, vol. 9407, pp. 505–521. Springer, Heidelberg (2011). doi:10.1007/978-3-642-24559-6_34
Costantini, G., Ferrara, P., Cortesi, A.: A suite of abstract domains for static analysis of string values. Softw. Pract. Exper. 45(2), 245–287 (2015)
Cuppens, F., Demolombe, R.: A deontic logic for reasoning about confidentiality. In: DEON. ACM (1996)
Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI (2010)
Ferrara, P., Tripp, O., Pistoia, M.: Morphdroid: fine-grained privacy verification. In: ACSAC (2015)
Gordon, M.I., Kim, D., Perkins, J., Gilham, L., Nguyen, N., Rinard, M.: Information-flow analysis of android applications in droidsafe. In: NDSS. ACM (2015)
Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for javascript. In: PLASTIC. ACM (2011)
Kulisch, U.W.: Complete interval arithmetic and its implementation on the computer. In: Cuyt, A., Krämer, W., Luther, W., Markstein, P. (eds.) Numerical Validation in Current Hardware Architectures. LNCS, vol. 5492, pp. 7–26. Springer, Heidelberg (2009)
McCamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: PLDI. ACM (2008)
Miné, A.: Weakly relational numerical abstract domains. Ph.D. thesis, École Polytechnique, December 2004. http://www-apr.lip6.fr/~mine/these/these-color.pdf
Secure software engineering group - Ec Spride. DroidBench. http://sseblog.ec-spride.de/tools/droidbench/
Swamy, N., Corcoran, B.J., Hicks, M.: Fable: a language for enforcing user-defined security policies. In: S&P. IEEE (2009)
Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web applications. In: PLDI (2009)
Tripp, O., Rubin, J.: A Bayesian approach to privacy enforcement in smartphones. In: USENIX Security (2014)
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Krügel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: NDSS. The Internet Society (2007)
Wei, F., Roy, S., Ou, X., Robby.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: CCS. ACM (2014)
Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In: CCS. ACM (2013)
Zanioli, M., Ferrara, P., Cortesi, A.: SAILS: static analysis of information leakage with sample. In: SAC. ACM (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Barbon, G., Cortesi, A., Ferrara, P., Steffinlongo, E. (2016). DAPA: Degradation-Aware Privacy Analysis of Android Apps. In: Barthe, G., Markatos, E., Samarati, P. (eds) Security and Trust Management. STM 2016. Lecture Notes in Computer Science(), vol 9871. Springer, Cham. https://doi.org/10.1007/978-3-319-46598-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-46598-2_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46597-5
Online ISBN: 978-3-319-46598-2
eBook Packages: Computer ScienceComputer Science (R0)