IIFA: Modular Inter-app Intent Information Flow Analysis of Android Applications

by   Abhishek Tiwari, et al.

Android apps cooperate through message passing via intents. However, when apps do not have identical sets of privileges inter-app communication (IAC) can accidentally or maliciously be misused, e.g., to leak sensitive information contrary to users expectations. Recent research considered static program analysis to detect dangerous data leaks due to inter-component communication (ICC) or IAC, but suffers from shortcomings with respect to precision, soundness, and scalability. To solve these issues we propose a novel approach for static ICC/IAC analysis. We perform a fixed-point iteration of ICC/IAC summary information to precisely resolve intent communication with more than two apps involved. We integrate these results with information flows generated by a baseline (i.e. not considering intents) information flow analysis, and resolve if sensitive data is flowing (transitively) through components/apps in order to be ultimately leaked. Our main contribution is the first fully automatic sound and precise ICC/IAC information flow analysis that is scalable for realistic apps due to modularity, avoiding combinatorial explosion: Our approach determines communicating apps using short summaries rather than inlining intent calls, which often requires simultaneously analyzing all tuples of apps. We evaluated our tool IIFA in terms of scalability, precision, and recall. Using benchmarks we establish that precision and recall of our algorithm are considerably better than prominent state-of-the-art analyses for IAC. But foremost, applied to the 90 most popular applications from the Google Playstore, IIFA demonstrated its scalability to a large corpus of real-world apps. IIFA reports 62 problematic ICC-/IAC-related information flows via two or more apps/components.


page 1

page 2

page 3

page 4


μDep: Mutation-based Dependency Generation for Precise Taint Analysis on Android Native Code

The existence of native code in Android apps plays an essential role in ...

When Program Analysis Meets Bytecode Search: Targeted and Efficient Inter-procedural Analysis of Modern Android Apps in BackDroid

Widely-used Android static program analysis tools, e.g., Amandroid and F...

liOS: Lifting iOS apps for fun and profit

Although iOS is the second most popular mobile operating system and is o...

AnFlo: Detecting Anomalous Sensitive Information Flows in Android Apps

Smartphone apps usually have access to sensitive user data such as conta...

An Automated Approach for Privacy Leakage Identification in IoT Apps

This paper presents a fully automated static analysis approach and a too...

SIAT: A Systematic Inter-Component Communication Analysis Technology for Detecting Threats on Android

In this paper, we present the design and implementation of a Systematic ...

Towards Practical Evaluation of Android ICC Resolution Techniques

Inter-component communication (ICC) is a key mechanism in mobile apps, w...

Please sign up or login with your details

Forgot password? Click here to reset