Detecting information leaks in Android applications using a hybrid approach with program slicing, instrumentation and tagging

With the increasingly amount of private information stored in mobile devices, the need for more secure ways to detect, control and avoid malicious behaviors has become higher. The too coarse-grained permission system implemented in the Android platform does not cover problems such as preventing an application to send a previously acquired information over SMS or Internet to another device or server. This problem arises because the permission systems implemented in the Android platform works only in the access control and does not handle how the acquired information is handled by the application. In order to enhance detection and awareness of such unwanted information flows, we propose a hybrid information-flow analysis, known as FlowSlicer, that mixes the benefits of static and dynamic analysis, using slicing on a system dependency graph and instrumenting statements found to be important. In order to analyse properly the obtained results, tests regarding overhead and also leak detection rate were performed in the applications present in the category AndroidSpecific from the DroidBench repository, since FlowSlicer intends to work mainly for applications designed for the Android platform. The results show that FlowSlicer is effective in detecting leaks, detects all leaks present in the evaluated applications, and only includes an imperceptible overhead to the instrumented application. The obtained results also show how both static and dynamic analysis work together and help each other in their disadvantages: static analysis helps dynamic analysis by reducing the set of statements to be analysed and dynamic analysis helps to prove false positives from static analysis not to be true.