Abstract
A static analysis is presented, based on the theory of abstract interpretation, for verifying privacy policy compliance by mobile applications. This includes instances where, for example, the application releases the user’s location or device ID without authorization. It properly extends previous work on datacentric semantics for verification of privacy policy compliance by mobile applications by (i) tracking implicit information flow, and (ii) performing a quantitative analysis of information leakage. This yields to a novel combination of qualitative and quantitative analyses of information flows in mobile applications.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. SIGPLAN Not. 49(6), 259–269 (2014)
Clark, D., Hunt, S., Malacaria, P.: Quantitative analysis of the leakage of confidential data. Electronic Notes in Theoretical Computer Science 59(3), 1–14 (2002). Quantitative Aspects of Programming Languages (Satellite Event for PLI 2001)
Clark, D., Hunt, S., Malacaria, P.: Quantified interference for a while language. Electr. Notes Theor. Comput. Sci. 112, 149–166 (2005)
Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O.: Datacentric semantics for verification of privacy policy compliance by mobile applications. In: D’Souza, D., Lal, A., Larsen, K.G. (eds.) VMCAI 2015. LNCS, vol. 8931, pp. 61–79. Springer, Heidelberg (2015)
Cortesi, A., Zanioli, M.: Widening and narrowing operators for abstract interpretation. Computer Languages, Systems & Structures 37(1), 24–42 (2011)
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Conference Record of the Fourth ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 238–252. ACM Press (1977)
Denning, D.E.: A lattice model of secure information flow. Communications of the ACM 19, 236–243 (1976)
Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 5:1–5:29 (2014)
Enck, W., Octeau, D., Mcdaniel, P., Chaudhuri, S.: A study of android application security. In: Proc. USENIX Security Symposium (2011)
Fritz, C., Arzt, S., et al.: Highly precise taint analysis for android application. Technical report, EC SPRIDE Technical Report TUD-CS-2013-0113 (2013). http://www.bodden.de/pubs/TUD-CS-2013-0113.pdf
Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security 8, 399–422 (2009)
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: Proc. 18th ACM Conf. on Computer and Communications Security, pp. 639–652. ACM, New York (2011)
International Data Corporation. Worldwide Quarterly Mobile Phone Tracker 3q14. http://www.idc.com/tracker/showproductinfo.jsp?prod-id=37 (accessed January 2015)
Lowe, G.: Quantifying information flow In: Proc. IEEE Computer Security Foundations Workshop, pp. 18–31 (2002)
McAfee Labs. Threats Report. http://www.mcafee.com/ca/resources/reports/rp-quarterly-threat-q3-2014.pdf (accessed December 2014)
Mccamant, S., Ernst, M.D.: A simulation-based proof technique fordynamic information flow (2007)
McCamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. SIGPLAN Not. 43(6), 193–205 (2008)
Rasthofer, S., Arzt, S., Lovat, E., Bodden, E.: Droidforce: enforcing complex, data-centric, system-wide policies in android. In: Proceedings of the 9th International Conference on Availability, Reliability and Security (ARES). IEEE, September 2014
Russo, A., Sabelfeld, A., Li, K.: Implicit flows in malicious and nonmalicious code. In: Logics and Languages for Reliability and Security. NATO Science for Peace and Security Series, vol. 25, pp. 301–322. IOS Press (2010)
Secure Software Engineering Group - Ec Spride. DroidBench. http://sseblog.ec-spride.de/tools/droidbench/ (accessed February 2015)
Smith, G.: Principles of secure information flow analysis. In: Christodorescu, M., et al. (eds.) Malware Detection. Advances in Information Security, vol. 27, pp. 291–307. Springer (2007)
Sridharan, M., Artzi, S., Pistoia, M., Guarnieri, S., Tripp, O., Berg, R.: F4f: taint analysis of framework-based web applications. In: OOPSLA. ACM (2011)
Tripp, O., Ferrara, P., Pistoia, M.: Hybrid security analysis of web javascript code via dynamic partial evaluation. In: Proc. of the 2014 Int. Symposium on Software Testing and Analysis, ISSTA 2014, pp. 49–59. ACM, New York (2014)
Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: Taj: effective taint analysis of web applications. In: ACM PLDI, pp. 87–97. ACM (2009)
Tripp, O., Rubin, J.: A bayesian approach to privacy enforcement in smartphones. In: USENIX Security (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 IFIP International Federation for Information Processing
About this paper
Cite this paper
Barbon, G., Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O. (2015). Privacy Analysis of Android Apps: Implicit Flows and Quantitative Analysis. In: Saeed, K., Homenda, W. (eds) Computer Information Systems and Industrial Management. CISIM 2015. Lecture Notes in Computer Science(), vol 9339. Springer, Cham. https://doi.org/10.1007/978-3-319-24369-6_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-24369-6_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-24368-9
Online ISBN: 978-3-319-24369-6
eBook Packages: Computer ScienceComputer Science (R0)