Skip to main content
SpringerLink
Log in

Intents Analysis of Android Apps for Confidentiality Leakage Detection

  • Chapter
  • First Online:
Advanced Computing and Systems for Security

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 1178))

Abstract

Intents are Android’s intra- and inter-application communication mechanism. They specify an action to perform, with extra data, and are sent to a receiver component or broadcast to many components. Components, in the same or in a distinct app, receive the intent if they are available to perform the desired action. Hence, a sound static analyzer must be aware of information flows through intents. That can be achieved by considering intents as both source (when reading) and sink (when writing) of confidential data. But this is overly conservative if the intent stays inside the same app or if the set of apps installed on the device is known in advance. In such cases, a sound approximation of the flow of intents leads to a more precise analysis. This work describes SDLI, a novel static analyzer that, for each app, creates an XML summary file reporting a description of the tainted information in outwards intents and of the intents the app is available to serve. SDLI discovers confidential information leaks when two apps communicate, by matching their XML summaries, looking for tainted outwards intents of the first app that can be inwards intents of the second app. The tool is implemented inside Julia, an industrial static analyzer. On the DroidBench test cases, its shows a precision higher than 75%. On some popular apps from the Google Play marketplace, it spots inter-apps leaks of confidential data, hence showing its practical effectiveness.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This paper is a revised and extended version of [27].

  2. 2.

    https://github.com/secure-software-engineering/DroidBench.

  3. 3.

    Examples are from https://developer.android.com/guide/components/intents-filters.html, where the reader can find further details.

  4. 4.

    https://sourceforge.net/projects/dex2jar.

  5. 5.

    https://commons.apache.org/proper/commons-bcel.

  6. 6.

    The source code of all these apps can be found at https://github.com/secure-software-engineering/DroidBench/tree/master/eclipse-project/InterComponentCommunication,commit2521ba5a222d13fabdd75f94c9f2e646e346f868.

  7. 7.

    https://github.com/DrKLO/Telegram.git.

  8. 8.

    We removed three apps because both apktool and dex2jar crashed on them and we could not analyze them.

  9. 9.

    https://github.com/skylot/jadx.

  10. 10.

    https://play.google.com/store/apps/details?id=com.apartapps.android.intentanalyser.

  11. 11.

    https://telegram.org.

  12. 12.

    https://play.google.com/store/apps/details?id=com.google.android.gm.

  13. 13.

    https://www.whatsapp.com.

  14. 14.

    https://developer.android.com/guide/components/intents-filters.html.

References

  1. Andersen, L.O.: Program analysis and specialization for the C programming language. University of Copenhagen, DIKU (1994). Ph.D. thesis

    Google Scholar 

  2. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of Programming Language Design and Implementation (PLDI), Edinburgh, UK, June 2014, p. 29 (2014)

    Google Scholar 

  3. Bartel, A., Klein, J., Le Traon, Y., Monperrus, M.: Dexpler: converting android Dalvik bytecode to jimple for static analysis with soot. In: Proceedings of State of the Art in Java Program Analysis (SOAP) (2012)

    Google Scholar 

  4. Bhandari, S., Jaballah, W.B., et al.: Android inter-app communication threats and detection techniques. Comput. Secur. 70, 392–421 (2017)

    Google Scholar 

  5. Bryant, R.: Symbolic Boolean manipulation with ordered binary-decision diagrams. ACM Comput. Surv. 24(3), 293–318 (1992)

    Article  MathSciNet  Google Scholar 

  6. Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O.: Datacentric semantics for verification of privacy policy compliance by mobile applications. In: Verification, Model Checking, and Abstract Interpretation - 16th International Conference, VMCAI 2015, Mumbai, India, 12–14 January 2015, pp. 61–79 (2015)

    Google Scholar 

  7. Cortesi, A., Olliaro, M.: M-string segmentation: a refined abstract domain for string analysis in C programs. In: 2018 International Symposium on Theoretical Aspects of Software Engineering, TASE 2018, Guangzhou, China, 29–31 August 2018, pp. 1–8 (2018)

    Google Scholar 

  8. Cortesi, A., Ferrara, P., Halder, R., Zanioli, M.: Combining symbolic and numerical domains for information leakage analysis. In: Transactions on Computational Science 31. LNCS, vol. 10730, pp. 98–135 (2018)

    Google Scholar 

  9. Costantini, G., Ferrara, P., Cortesi, A.: A suite of abstract domains for static analysis of string values. Softw. Pract. Exp. 45(2), 245–287 (2015)

    Article  Google Scholar 

  10. Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of Principles of Programming Languages (POPL), pp. 238–252 (1977)

    Google Scholar 

  11. Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P.D., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 5:1–5:29 (2014)

    Google Scholar 

  12. Ernst, M.D., Lovato, A., Macedonio, D., Spiridon, C., Spoto, F.: Boolean formulas for the static identification of injection attacks in java. In: Proceedings of logic for programming, artificial intelligence, and reasoning (LPAR-20), Suva, Fiji. LNCS, vol. 9450, pp. 130–145 (2015)

    Google Scholar 

  13. Ferrara, P., Cortesi, A., Spoto, F.: From cil to java bytecode: semantics-based translation for static analysis leveraging. Sci. Comput. Program. 191, (2020)

    Google Scholar 

  14. Ferrara, P., Mandal, A.K., Cortesi, A., Spoto, F.: Cross-programming language taint analysis for the iot ecosystem. In: ECEASST, vol. 77 (2019)

    Google Scholar 

  15. Halder, Raju: Cortesi, Agostino: Abstract interpretation of database query languages. Comput. Lang. Syst. Struct. 38(2), 123–157 (2012)

    MATH  Google Scholar 

  16. Jana, A., Halder, R., Kalahasti, A., Ganni, S., Cortesi, A.: Extending abstract interpretation to dependency analysis of database applications. IEEE Trans. Softw, Eng (2020)

    Book  Google Scholar 

  17. Li, L., Bartel, A., Bissyandé, T.F., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.D.: IccTA: detecting inter-component privacy leaks in android apps. In: Proceedings of the International Conference on Software Engineering (ICSE), Florence, Italy, pp. 280–291 (2015)

    Google Scholar 

  18. Livshits, B., Sridharan, M., Smaragdakis, Y., Lhoták, O., Amaral, J.N., Chang, B.E., Guyer, S.Z., Khedker, U.P., Møller, A., Vardoulakis, D.: In defense of soundiness: a manifesto. Commun. ACM 58(2), 44–46 (2015)

    Article  Google Scholar 

  19. Mandal, A.K., Cortesi, A., Ferrara, P., Panarotto, F., Spoto, F.: Vulnerability analysis of android auto infotainment apps. In: Proceedings of the 15th ACM International Conference on Computing Frontiers, CF 2018, Ischia, Italy, 08–10 May 2018, pp. 183–190 (2018)

    Google Scholar 

  20. Mandal, A.K., Panarotto, F., Cortesi, A., Ferrara, P., Spoto, F.: Static analysis of android auto infotainment and on-board diagnostics II apps. Softw. Pract. Exp. 49(7), 1131–1161 (2019)

    Google Scholar 

  21. Octeau, D., Jha, S., McDaniel, P.D.: Retargeting android applications to java bytecode. In: Proceedings of Foundations of Software Engineering (FSE), Cary, NC, USA (2012)

    Google Scholar 

  22. Octeau, D., Luchaup, D., Jha, S., McDaniel, P.D.: Composite constant propagation and its application to android program analysis. IEEE Trans. Softw. Eng. 42(11), 999–1014 (2016)

    Article  Google Scholar 

  23. Octeau, D., McDaniel, P.D., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android: an essential step towards holistic security analysis. In: Proceedings of USENIX Security, Washington, DC, USA, pp. 543–558 (2013)

    Google Scholar 

  24. Payet, É., Spoto, F.: Static analysis of android programs. Inf. Softw. Technol. 54(11), 1192–1201 (2012)

    Article  Google Scholar 

  25. Rasthofer, S., Arzt, S., Bodden, E.: A Machine-learning approach for classifying and categorizing android sources and sinks. In: Proceedings of Network and Distributed System Security (NDSS), San Diego, California, USA (2014)

    Google Scholar 

  26. Sadeghi, A., Bagheri, H., Garcia, J., Malek, S.: A taxonomy and qualitative comparison of program analysis techniques for security assessment of android software. IEEE Trans. Softw. Eng. 43(6), 492–530 (2017)

    Article  Google Scholar 

  27. Salvia, R., Ferrara, P., Spoto, F., Cortesi, A.: SDLI: static detection of leaks across intents. In: 17th IEEE International Conference on Trust, Security And Privacy, TrustCom2018, New York, NY, USA, 1–3 August 2018, pp. 1002–1007 (2018)

    Google Scholar 

  28. Spoto, F.: The Julia static analyzer for java. In: Proceedings of Static Analysis Symposium (SAS). Lecture Notes in Computer Science, vol. 9837, pp. 39–57, Edinburgh, UK (2016)

    Google Scholar 

  29. Vallée-Rai, R., Gagnon, E., Hendren, L.J., Lam, P., Pominville, P., Sundaresan, V.: Optimizing java bytecode using the soot framework: is it feasible? In: Proceedings of Compiler Contruction (CC), Berlin, Germany. Lecture Notes in Computer Science, vol. 1781, pp. 18–34 (2000)

    Google Scholar 

  30. Wei, F., Roy, S., Ou, X., Robby: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of Computer and Communication Security (CCS), Scottsdale, AZ, USA, pp. 1329–1341 (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Utah, Salt Lake City, UT, USA

    Rocco Salvia

  2. Università Ca’ Foscari, Venice, Italy

    Agostino Cortesi & Pietro Ferrara

  3. Università di Verona, Verona, Italy

    Fausto Spoto

Authors
  1. Rocco Salvia
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Agostino Cortesi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pietro Ferrara
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Fausto Spoto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Agostino Cortesi .

Editor information

Editors and Affiliations

  1. A.K. Choudhury School of Information Technology, University of Calcutta, Kolkata, West Bengal, India

    Rituparna Chaki

  2. DAIS, Ca' Foscari University, Venezia, Italy

    Agostino Cortesi

  3. Faculty of Computer Science, Bialystok University of Technology, Bialystok, Poland

    Khalid Saeed

  4. Department of Computer Science and Engineering, University of Calcutta, Kolkata, West Bengal, India

    Nabendu Chaki

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Singapore Pte Ltd.

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Salvia, R., Cortesi, A., Ferrara, P., Spoto, F. (2021). Intents Analysis of Android Apps for Confidentiality Leakage Detection. In: Chaki, R., Cortesi, A., Saeed, K., Chaki, N. (eds) Advanced Computing and Systems for Security. Advances in Intelligent Systems and Computing, vol 1178. Springer, Singapore. https://doi.org/10.1007/978-981-15-5747-7_4

Download citation

Publish with us

Policies and ethics

Search

Navigation