SCAnDroid: Automated Side-Channel Analysis of Android APIs

Although the Android system has been continuously hardened against side-channel attacks, there are still plenty of APIs available that can be exploited. However, most side-channel analyses in the literature consider specifically chosen APIs (or resources) in the Android framework, after a manual analysis of APIs for possible information leaks has been performed. Such a manual analysis is a tedious, time consuming, and error-prone task, meaning that information leaks tend to be overlooked. To overcome this tedious task, we introduce SCANDROID, a framework that automatically profiles the Java-based Android API for possible information leaks. Events of interest, such as website launches, Google Maps queries, or application starts, are triggered automatically, and while these events are being triggered, the Java-based Android API is analyzed for possible information leaks that allow inferring these events later on. To assess the Android API for information leaks, SCANDROID relies on dynamic time warping. By applying SCANDROID on Android 8 (Android Oreo), we identified several Android APIs that allow inferring website launches, Google Maps queries, and application starts. The triggered events are by no means exhaustive but have been chosen to demonstrate the broad applicability of SCANDROID. Among the automatically identified information leaks are, for example, the java.io.File API, the android.os.storage.StorageManager API, and several methods within the android.net. Traffics tats API. Thereby, we identify the first side-channel leaks in the Android API on Android 8 (Android Oreo).