FlowDroid

Arzt, Steven; Rasthofer, Siegfried; Fritz, Christian; Bodden, Eric; Bartel, Alexandre; Klein, Jacques; Traon, Yves Le; Octeau, Damien; McDaniel, Patrick

doi:10.1145/2666356.2594299

Cited by 831 publications

(115 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Static analysis-based approaches determine whether apps are malicious or benign, and consider the possibility of leakage of private data by analyzing the package files of apps without running them [21][22][23][24][25][26][27][28][29][30][31][32][33][34][35][36].…”

Section: Static Analysismentioning

confidence: 99%

See 1 more Smart Citation

Protecting contacts against privacy leaks in smartphones

Cha

Pak

2018

PLoS ONE

View full text Add to dashboard Cite

Due to recent developments in technologies associated with the Internet of Things (IoT), a large number of people now regularly use smart devices, such as smartwatches and smartphones. However, these devices are prone to data leaks because of security vulnerabilities. In particular, Android devices use permission-based security, which allows users to directly approve permissions requested by an app when installing it. As a result, many malicious apps can obtain and leak private user data by requesting more permissions than are needed. However, it is difficult to identify malicious apps based solely on the requested permissions. A system is hence needed to accurately identify malicious apps and protect private data from them. In this paper, we propose a system for hiding data related to a user’s contacts or providing virtual data according to preconfigured policies when an Android app requests access to them. By hiding data related to the contacts, the proposed system can protect them from malicious apps. By using virtual data, it can even detect malicious apps that leak private data. The system requires less storage and provides faster access to user contacts than prevalent solutions to similar problems.

show abstract

Section: Static Analysismentioning

confidence: 99%

“…Yet another static approach based on a control flow graph (CFG) detects user privacy leaks through inter-component communication (ICC) [33][34][35]. A machine learning-based approach was recently proposed [36] that uses Extra-Trees, a machine learning algorithm to detect malicious apps regardless of code obfuscation.…”

Section: Static Analysismentioning

confidence: 99%

Protecting contacts against privacy leaks in smartphones

Cha

Pak

2018

PLoS ONE

View full text Add to dashboard Cite

show abstract

“…The majority of the calls use a specific string key to extract extra data from Intents whereas data type itself is encoded in the name of the methods. This research also attempted to use Flowdroid [10] for static analysis on more precise Intent structure, but it reported that the simple CFG-based analysis mentioned previously is enough for Intent fuzz testing in terms of scalability and precision [5]. A set of Intents was generated afterward with the statically analyzed Intent structure information, target components were executed with these fuzzed Intents, and both code coverage and crashes due to exceptions were monitored.…”

Section: Related Workmentioning

confidence: 99%

“…A mark * in the table tells this difference. Both IntentFuzzer [5] and ICCFuzzer [7] have used FlowDroid [10] for backend of their own static analyzer, for example, to collect keys and types of extra data of Intent statically. ICCFuzzer [7] went one step more to collect event handler information in Activity and Service components potentially to trigger deeper execution of target Android components, which a mark † points out.…”

Section: Comparison With Existing Intent Fuzzing Tools For Detecting mentioning

confidence: 99%

A Practical Intent Fuzzing Tool for Robustness of Inter-Component Communication in Android Apps

Choi¹,

Ko²,

Chang³

2018

KSII TIIS

View full text Add to dashboard Cite

This research aims at a new practical Intent fuzzing tool for detecting Intent vulnerabilities of Android apps causing the robustness problem. We proposed two new ideas. First, we designed an Intent specification language to describe the structure of Intent, which makes our Intent fuzz testing tool flexible. Second, we proposed an automatic tally method classifying unique failures. With the two ideas, we implemented an Intent fuzz testing tool called Hwacha, and evaluated it with 50 commercial Android apps. Our tool offers an arbitrary combination of automatic and manual Intent generators with executors such as ADB and JUnit due to the use of the Intent specification language. The automatic tally method excluded almost 80% of duplicate failures in our experiment, reducing efforts of testers very much in review of failures. The tool uncovered more than 400 unique failures including what is unknown so far. We also measured execution time for Intent fuzz testing, which has been rarely reported before. Our tool is practical because the whole procedure of fuzz testing is fully automatic and the tool is applicable to the large number of Android apps with no human intervention.

show abstract

“…Since static analysis is very efficient at tracking data flow within an application, most of the static analysis tools for Android applications are focused on performing some kind of data flow analysis for example privacy leaks [7]- [9].…”

Section: Related Workmentioning

confidence: 99%

Verification of Android Applications

Merwe

2015

2015 IEEE/ACM 37th IEEE International Conference on Software Engineering

View full text Add to dashboard Cite

This study investigates an alternative approach to analyze Android applications using model checking. We develop an extension to Java PathFinder (JPF) called JPF-Android to verify Android applications outside of the Android platform. JPF is a powerful Java model checker and analysis engine that is very effective at detecting corner-case and hard-to-find errors using its fine-grained analysis capabilities. JPF-Android provides a simplified model of the Android application framework on which an Android application can run and it can generate input events or parse an input script containing sequences of input events to drive the execution of the application. JPF-Android traverses all execution paths of the application by simulating these input events and can detect common property violations such as deadlocks and runtime exceptions in Android applications. It also introduces user defined execution specifications called Checklists to verify the flow of application execution.

show abstract

FlowDroid

Cited by 831 publications

References 24 publications

Protecting contacts against privacy leaks in smartphones

Protecting contacts against privacy leaks in smartphones

A Practical Intent Fuzzing Tool for Robustness of Inter-Component Communication in Android Apps

Verification of Android Applications

Contact Info

Product

Resources

About