Variational Study of the Impact of Call Graphs on Precision of Android Taint Analysis

Abstract

With the growing advent and usage of Android applications, security of sensitive user information remains to be of paramount concern. A popular way to identify security leaks in Android applications is by performing taint analysis that tries to enlist possible paths in the program through which sources of critical information may get connected to potential sinks that may propagate leaks. Notably, the precision of such “taint information” is heavily dependent on the elements that are responsible for constructing an interprocedural path in a program – primarily, the call graph. This paper is a step towards a larger study to identify the common patterns through which information gets tainted in Android applications, aiming to suggest points in the program analysis space that could lead to their detection in a precise yet efficient manner. To begin with, we invoke FlowDroid (a popular taint-analysis tool) to analyze Android apps from a variety of domains, and measure the impact of varying the underlying call graph on the computed taint information. We observe that taint information depends significantly on the used call graph, and that certain spurious leaks can be mapped to particular causes of removable imprecision. We further classify the identified leaks into various kinds, and hope to extend this study to identify exact parts of the program that popularly leak out particular kinds of information. Our final goal is to help security analysts select the right interprocedural analysis toolset for identifying bugs in Android apps, as well as to frame app-design guidelines for helping developers first-hand avoid common sources of information leaks from their future artifacts.