In the past, researchers have developed a number of popular taint-analysis approaches, particularly in the context of Android applications. Numerous studies have shown that automated code analyses are adopted by developers only if they yield a good “signal to noise ratio”, i.e., high precision. Many previous studies have reported analysis precision quantitatively, but this gives little insight into what can and should be done to increase precision further.
To guide future research on increasing precision, we present a comprehensive study that evaluates static Android taint-analysis results on a qualitative level. To unravel the exact nature of taint flows, we have designed COVA, an analysis tool to compute partial path constraints that inform about the circumstances under which taint flows may actually occur in practice.
We have conducted a qualitative study on the taint flows in 1,022 real-world Android applications. Our results reveal several key findings: Many taint flows occur only under specific conditions, e.g., environment settings, user interaction, I/O. Taint analyses should consider the application context to discern such situations. COVA shows that few taint flows are guarded by multiple different kinds of conditions simultaneously, so tools that seek to confirm true positives dynamically can concentrate on one kind at a time, e.g., only simulating user interactions. Lastly, many false positives arise due to a too liberal source/sink configuration. Taint analyses must be more carefully configured, and their configuration could benefit from better tool assistance.
|Slides (A Qualitative Analysis of Android Taint-Analysis Results) (COVA-ASE19-Talk-public.pdf)||1.57MiB|
Conference DayTue 12 NovDisplayed time zone: Tijuana, Baja California change
13:40 - 15:20
|A Qualitative Analysis of Android Taint-Analysis Results|
Linghui LuoPaderborn University, Eric BoddenHeinz Nixdorf Institut, Paderborn University and Fraunhofer IEM, Johannes SpäthFraunhofer IEMPre-print File Attached
|Goal-Driven Exploration for Android Applications|
|RANDR: Record and Replay for Android Applications via Targeted Runtime Instrumentation|
|Specifying Callback Control Flow of Mobile Apps Using Finite Automata|
Journal First PresentationsLink to publication
|MalScan: Fast Market-Wide Mobile Malware Scanning by Social-Network Centrality Analysis|
Yueming WuHuazhong University of Science and Technology, Xiaodi LiUniversity of Texas at Dallas, Deqing ZouHuazhong University of Science and Technology, Wei YangUniversity of Texas at Dallas, Xin ZhangHuazhong University of Science and Technology, Hai JinHuazhong University of Science and TechnologyPre-print