Blogs (1) >>
ASE 2019
Sun 10 - Fri 15 November 2019 San Diego, California, United States
Tue 12 Nov 2019 13:40 - 14:00 at Hillcrest - Mobile 2 Chair(s): Myra Cohen

In the past, researchers have developed a number of popular taint-analysis approaches, particularly in the context of Android applications. Numerous studies have shown that automated code analyses are adopted by developers only if they yield a good “signal to noise ratio”, i.e., high precision. Many previous studies have reported analysis precision quantitatively, but this gives little insight into what can and should be done to increase precision further.

To guide future research on increasing precision, we present a comprehensive study that evaluates static Android taint-analysis results on a qualitative level. To unravel the exact nature of taint flows, we have designed COVA, an analysis tool to compute partial path constraints that inform about the circumstances under which taint flows may actually occur in practice.

We have conducted a qualitative study on the taint flows in 1,022 real-world Android applications. Our results reveal several key findings: Many taint flows occur only under specific conditions, e.g., environment settings, user interaction, I/O. Taint analyses should consider the application context to discern such situations. COVA shows that few taint flows are guarded by multiple different kinds of conditions simultaneously, so tools that seek to confirm true positives dynamically can concentrate on one kind at a time, e.g., only simulating user interactions. Lastly, many false positives arise due to a too liberal source/sink configuration. Taint analyses must be more carefully configured, and their configuration could benefit from better tool assistance.

Slides (A Qualitative Analysis of Android Taint-Analysis Results) (COVA-ASE19-Talk-public.pdf)1.57MiB

Tue 12 Nov
Times are displayed in time zone: Tijuana, Baja California change

13:40 - 15:20: Mobile 2Papers / Research Papers / Journal First Presentations at Hillcrest
Chair(s): Myra CohenIowa State University
13:40 - 14:00
A Qualitative Analysis of Android Taint-Analysis Results
Research Papers
Linghui LuoPaderborn University, Eric BoddenHeinz Nixdorf Institut, Paderborn University and Fraunhofer IEM, Johannes SpäthFraunhofer IEM
Pre-print File Attached
14:00 - 14:20
Goal-Driven Exploration for Android Applications
Research Papers
Duling LaiUniversity of British Columbia, Julia RubinUniversity of British Columbia
14:20 - 14:40
RANDR: Record and Replay for Android Applications via Targeted Runtime Instrumentation
Research Papers
Onur SahinBoston University, Assel AliyevaBoston University, Hariharan MathavanBoston University, Ayse CoskunBoston University, Manuel EgeleBoston University, USA
14:40 - 15:00
Specifying Callback Control Flow of Mobile Apps Using Finite Automata
Journal First Presentations
Danilo Dominguez PerezIowa State University, Wei LeIowa State University
Link to publication
15:00 - 15:20
MalScan: Fast Market-Wide Mobile Malware Scanning by Social-Network Centrality Analysis
Research Papers
Yueming WuHuazhong University of Science and Technology, Xiaodi LiUniversity of Texas at Dallas, Deqing ZouHuazhong University of Science and Technology, Wei YangUniversity of Texas at Dallas, Xin ZhangHuazhong University of Science and Technology, Hai JinHuazhong University of Science and Technology