Plug and Analyze: Usable Dynamic Taint Tracker for Android Apps

Abstract

Taint analyses, especially static taint analyses, are utilized to uncover hidden and suspicious behaviors in Android apps. However, current static taint analyzers use imprecise Android models, producing unreliable results and increasing the result verification cost. On the other hand, current dynamic taint trackers accurately detect execution paths. However, they depend on specific Android versions and modified devices, reducing their usability. Also, the users may not be able to analyze prepared datasets comprehensively. The results of the current analyses would be biased and less trustworthy. This paper presents a new dynamic taint analyzer called T-Recs that tracks information flows by recording the app execution at the app's bytecode level on an Android device and reconstructing the execution on a server independently of specific Android versions and devices. The users can instantly start analyzing apps with T-Recs after plugging an unmodified device into their computer. We implemented and evaluated T-Recs with 158 apps of DroidBench 3.0 in comparison with current taint analyzers: FlowDroid (w/ and w/o IC3), Amandroid, DroidSafe, and TaintDroid (w/ and w/o IntelliDroid), and only T-Recs achieved 100% accuracy. The result of privacy leak detection in 96 popular Google Play apps shows that T-Recs detected 43 true positives, the highest among compared tools. Also, T-Recs analyzed 39,480 apps from Google Play and Anzhi, showing that T-Recs can be applied to apps that vary in supported SDK versions. Further, the result of ID leak detection in 158 popular apps from Google Play in 2021 shows that T-Recs can detect leaks in recently-developed apps. T-Recs is one of the promising tools for future app analysis.