Hey, You, Get Off of My Image: Detecting Data Residue in Android Images

  • Xiao ZhangEmail author
  • Yousra Aafer
  • Kailiang Ying
  • Wenliang Du
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)


Android’s data cleanup mechanism has been called into question with the recently discovered data residue vulnerability. However, the existing study only focuses on one particular Android version and demands heavy human involvement. In this project, we aim to fill the gap by providing a comprehensive understanding of the data residue situation across the entire Android ecosystem. To this end, we propose ANRED(ANRED is a former French public institution for the recovery and disposal of waste.), an ANdroid REsidue Detector that performs static analysis on Android framework bytecode and automatically quantifies the risk for each identified data residue instance within collected system services. The design of ANRED has overcome several challenges imposed by the special characteristic of Android framework and data residue vulnerability. We have implemented ANRED in WALA and further evaluated it against 606 Android images. The analysis results have demonstrated the effectiveness, efficiency and reliability of ANRED. In particular, we have confirmed the effect of vendor customization and version upgrade on data residue vulnerability. We have also identified five new data residue instances that have been overlooked in the previous study, leading to data leakage and privilege escalation attacks.


Entry Point System Service Call Graph Code Coverage Break Link 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We greatly appreciate the insightful comments and constructive feedback from the anonymous reviewers. This project was supported in part by the NSF grant 1318814. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.


  1. 1.
    Android Revolution.
  2. 2.
    ANRED: Android Residue Detection Framework.
  3. 3.
    Apktool: A tool for reverse engineering Android apk files.
  4. 4.
    Cyanogenmod Downloads.
  5. 5.
    Cyclomatic complexity.
  6. 6.
  7. 7.
    dextra - A tool for DEX and OAT dumping, decompilation, and fuzzing.
  8. 8.
  9. 9.
    Factory Images for Nexus Devices.
  10. 10.
    Huawei ROMs.
  11. 11.
    Java: Computing Cyclomatic Complexity.
  12. 12.
    Java Varargs.
  13. 13.
    Lollipop deodexing.
  14. 14.
    Official Oxygen OS ROMs and OTA updates.
  15. 15.
    smali and baksmali.
  16. 16.
  17. 17.
    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2014, New York, NY, USA (2014)Google Scholar
  18. 18.
    Bacon, D.F.: Fast and effective optimization of statically typed object-oriented. Technical report, Berkeley, CA, USA (1998)Google Scholar
  19. 19.
    Bacon, D.F., Sweeney, P.F.: Fast static analysis of c++ virtual function calls. In: Proceedings of the 11th ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications, OOPSLA 1996, pp. 324–341. ACM, New York, NY, USA (1996)Google Scholar
  20. 20.
    Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R.: Xmandroid: A new android evolution to mitigate privilege escalation attacks. Technical report, Technische Universität Darmstadt, Technical Report TR-2011-04 (2011)Google Scholar
  21. 21.
    Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards taming privilege-escalation attacks on android. NDSS (2012)Google Scholar
  22. 22.
    Cao, Y., Fratantonio, Y., Bianchi, A., Egele, M., Kruegel, C., Vigna, G., Chen, Y.: EdgeMiner: automatically detecting implicit control flow transitions through the android framework. In: Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS) (2015)Google Scholar
  23. 23.
    Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys 2011. ACM, New York, NY, USA (2011)Google Scholar
  24. 24.
    Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire: lightweight provenance for smart phone operating systems. In: 20th USENIX Security Symposium, San Francisco, CA, August 2011Google Scholar
  25. 25.
    Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications security. ACM (2013)Google Scholar
  26. 26.
    Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010, pp. 1–6. USENIX Association, Berkeley, CA, USA (2010)Google Scholar
  27. 27.
    Fahl, S., Harbach, M., Oltrogge, M., Muders, T., Smith, M.: Hey, you, get off of my clipboard. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 144–161. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  28. 28.
    Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: Attacks and defenses. In: Proceedings of the 20th USENIX Security Symposium, pp. 22–37 (2011)Google Scholar
  29. 29.
    Fragkaki, E., Bauer, L., Jia, L., Swasey, D.: Modeling and enhancing androids permission system. In: 17th European Symposium on Research in Computer Security (2012)Google Scholar
  30. 30.
    Gordon, M.I., Kim, D., Perkins, J.H., Gilham, L., Nguyen, N., Rinard, M.C.: Information-flow analysis of android applications in droidsafe. In: NDSS (2015)Google Scholar
  31. 31.
    Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock Android smartphones. In: Proceedings of the 19th Network and Distributed System Security Symposium (NDSS), February 2012Google Scholar
  32. 32.
    Grove, D., DeFouw, G., Dean, J., Chambers, C.: Call graph construction in object-oriented languages. In: Proceedings of the 12th ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications, OOPSLA 1997, pp. 108–124. ACM, New York, NY, USA, (1997)Google Scholar
  33. 33.
    Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 229–240. ACM, New York, NY, USA (2012)Google Scholar
  34. 34.
    Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on webview in the android system. In: ACSAC (2011)Google Scholar
  35. 35.
    Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android with epicc: an essential step towards holistic security analysis. In: Proceedings of the 22nd USENIX Conference on Security, SEC 2013, pp. 543–558. USENIX Association, Berkeley, CA, USA (2013)Google Scholar
  36. 36.
    Shivers, O.G.: Control-flow Analysis of Higher-order Languages of Taming Lambda. Ph.D. thesis, Pittsburgh, PA, USA (1991). UMI Order No. GAX91-26964Google Scholar
  37. 37.
    Xing, L., Pan, X., Wang, R., Yuan, K., Wang, X.: Upgrading your android, elevating my malware: privilege escalation through mobile os updating. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP 2014, pp. 393–408. IEEE Computer Society, Washington, DC, USA (2014)Google Scholar
  38. 38.
    Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 29. USENIX Association, Berkeley, CA, USA (2012)Google Scholar
  39. 39.
    Zhang, X., Du, W.: Attacks on android clipboard. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 72–91. Springer, Heidelberg (2014)Google Scholar
  40. 40.
    Zhang, X., Ying, K., Aafer, Y., Qiu, Z., Du, W.: Life after app. uninstallation: are the data still alive? data residue attacks on android. In: Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS) (2016)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Xiao Zhang
    • 1
    Email author
  • Yousra Aafer
    • 1
  • Kailiang Ying
    • 1
  • Wenliang Du
    • 1
  1. 1.Department of Electrical Engineering and Computer ScienceSyracuse UniversitySyracuseUSA

Personalised recommendations