Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Security and Trust Management

STM 2016: Security and Trust Management pp 32–46Cite as

DAPA: Degradation-Aware Privacy Analysis of Android Apps

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9871))

Abstract

When installing or executing an app on a smartphone, we grant it access to part of our (possibly confidential) data stored in the device. Traditional information-flow analyses aim to detect whether such information is leaked by the app to the external (untrusted) environment. The static analyser we present in this paper goes one step further. Its aim is to trace not only if information is possibly leaked (as this is almost always the case), but also how relevant such a leakage might become, as an under- and over-approximation of the actual degree of values degradation. The analysis captures both explicit dependences and implicit dependences, in an integrated approach. The analyser is built within the Abstract Interpretation framework on top of our previous work on datacentric semantics for verification of privacy policy compliance by mobile applications. Results of the experimental analysis on significant samples of the DroidBench library are also discussed.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Traon, Y.L., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI. ACM (2014)

    Google Scholar 

  2. Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: vetting browser extensions for security vulnerabilities. In: USENIX Security. USENIX Association (2010)

    Google Scholar 

  3. Barbon, G., Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O.: Privacy analysis of android apps: implicit flows and quantitative analysis. In: Saeed, K., Homenda, W. (eds.) CISIM 2015. LNCS, vol. 9339, pp. 3–23. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24369-6_1

    Chapter  Google Scholar 

  4. Bohlender, G., Kulisch, U.W.: Definition of the arithmetic operations and comparison relations for an interval arithmetic. Reliable Comput. 15(1), 36–42 (2011)

    MathSciNet  Google Scholar 

  5. Braghin, C., Cortesi, A., Focardi, R.: Control flow analysis of mobile ambients with security boundaries. In: Jacobs, B., Rensink, A. (eds.) FMOODS 2002. ITIFIP, vol. 81, pp. 197–212. Springer, Heidelberg (2002). doi:10.1007/978-0-387-35496-5_14

    Chapter  Google Scholar 

  6. Calzavara, S., Grishchenko, I., Maffei, M.: Horndroid: practical and sound static analysis of android applications by SMT solving. In: EuroS&P. IEEE (2016)

    Google Scholar 

  7. Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for javascript. SIGPLAN Not. 44(6), 50–62 (2009)

    Article  Google Scholar 

  8. Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O.: Datacentric semantics for verification of privacy policy compliance by mobile applications. In: Jobstmann, B., Leino, K.R.M. (eds.) VMCAI 2016. LNCS, vol. 9583, pp. 61–79. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46081-8_4

    Google Scholar 

  9. Costantini, G., Ferrara, P., Cortesi, A.: Static analysis of string values. In: Butler, M., Conchon, S., Zaïdi, F. (eds.) ICFEM 2015. LNCS, vol. 9407, pp. 505–521. Springer, Heidelberg (2011). doi:10.1007/978-3-642-24559-6_34

    Chapter  Google Scholar 

  10. Costantini, G., Ferrara, P., Cortesi, A.: A suite of abstract domains for static analysis of string values. Softw. Pract. Exper. 45(2), 245–287 (2015)

    Article  Google Scholar 

  11. Cuppens, F., Demolombe, R.: A deontic logic for reasoning about confidentiality. In: DEON. ACM (1996)

    Google Scholar 

  12. Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI (2010)

    Google Scholar 

  13. Ferrara, P., Tripp, O., Pistoia, M.: Morphdroid: fine-grained privacy verification. In: ACSAC (2015)

    Google Scholar 

  14. Gordon, M.I., Kim, D., Perkins, J., Gilham, L., Nguyen, N., Rinard, M.: Information-flow analysis of android applications in droidsafe. In: NDSS. ACM (2015)

    Google Scholar 

  15. Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for javascript. In: PLASTIC. ACM (2011)

    Google Scholar 

  16. Kulisch, U.W.: Complete interval arithmetic and its implementation on the computer. In: Cuyt, A., Krämer, W., Luther, W., Markstein, P. (eds.) Numerical Validation in Current Hardware Architectures. LNCS, vol. 5492, pp. 7–26. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  17. McCamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: PLDI. ACM (2008)

    Google Scholar 

  18. Miné, A.: Weakly relational numerical abstract domains. Ph.D. thesis, École Polytechnique, December 2004. http://www-apr.lip6.fr/~mine/these/these-color.pdf

  19. Secure software engineering group - Ec Spride. DroidBench. http://sseblog.ec-spride.de/tools/droidbench/

  20. Swamy, N., Corcoran, B.J., Hicks, M.: Fable: a language for enforcing user-defined security policies. In: S&P. IEEE (2009)

    Google Scholar 

  21. Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web applications. In: PLDI (2009)

    Google Scholar 

  22. Tripp, O., Rubin, J.: A Bayesian approach to privacy enforcement in smartphones. In: USENIX Security (2014)

    Google Scholar 

  23. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Krügel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: NDSS. The Internet Society (2007)

    Google Scholar 

  24. Wei, F., Roy, S., Ou, X., Robby.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: CCS. ACM (2014)

    Google Scholar 

  25. Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In: CCS. ACM (2013)

    Google Scholar 

  26. Zanioli, M., Ferrara, P., Cortesi, A.: SAILS: static analysis of information leakage with sample. In: SAC. ACM (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Université Grenoble Alpes - Inria - LIG, Grenoble, France

    Gianluca Barbon

  2. Università Ca’ Foscari, Venice, Italy

    Agostino Cortesi & Enrico Steffinlongo

  3. Julia Srl, Verona, Italy

    Pietro Ferrara

Authors
  1. Gianluca Barbon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Agostino Cortesi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pietro Ferrara
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Enrico Steffinlongo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Agostino Cortesi .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute , Pozuelo de Alarcón, Madrid, Spain

    Gilles Barthe

  2. Dept Comp Sci, Vassilika Vouton, Univ of Crete Dept Comp Sci, Vassilika Vouton, Heraklion, Crete, Greece

    Evangelos Markatos

  3. Dipto di Informatica, Univ degli Studi di Milano Dipto di Informatica, Crema, Italy

    Pierangela Samarati

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Barbon, G., Cortesi, A., Ferrara, P., Steffinlongo, E. (2016). DAPA: Degradation-Aware Privacy Analysis of Android Apps. In: Barthe, G., Markatos, E., Samarati, P. (eds) Security and Trust Management. STM 2016. Lecture Notes in Computer Science(), vol 9871. Springer, Cham. https://doi.org/10.1007/978-3-319-46598-2_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-46598-2_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-46597-5

  • Online ISBN: 978-3-319-46598-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation