I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis Li Li, AlexandreBartel, Steven Arzt,Siegfried Rasthofer, Damien Octeau,Patrick McDaniel Jacques Klein, YvesLeTraon and Eric Bodden Departmentof Computer Scienceand SnT EC SPRIDE Engineering Universityof Luxembourg TechnischeUniversit¨at Darmstadt PennsylvaniaStateUniversity fi[email protected] fi[email protected] {octeau,mcdaniel}@cse.psu.edu 4 1 ABSTRACT side the application or device, called sinks. A path may 0 be within a single component or cross multiple components Android applications may leak privacy data carelessly or 2 and/or applications. maliciously. Inthisworkweperforminter-componentdata- State-of-the-artapproachesusingstaticanalysistodetect r flow analysis to detect privacy leaks between components p privacy leaks on Android apps mainly focus on detecting of Android applications. Unlike all current approaches, our A intra-componentsensitivedataleaks. CHEX[18],forexam- tool,calledIccTA,propagatesthecontextbetweenthecom- ple, uses static analysis to detect component hijacking vul- ponents,whichimprovestheprecisionoftheanalysis. IccTA 9 nerabilitiesbytrackingtaintsbetweensensitivesourcesand outperformsallotheravailabletoolsbyreachingaprecision 2 sinks. DroidChecker [9] uses inter-procedural Control-Flow of 95.0% and a recall of 82.6% on DroidBench. Our ap- proach detects 147 inter-component based privacy leaks in Graph (CFG) searching and static taint checking to detect ] exploitable data paths in an Android application. Flow- E 14applicationsin aset of3000real-world applicationswith Droid [4] also performs taint analysis within single com- S a precision of 88.4%. With the help of ApkCombiner, our ponents of Android applications but with a better preci- . approach is able todetect inter-app based privacy leaks. s sion. In this paper, we not only focus on intra-component c leaks, but we also consider Inter-Component Communica- [ 1. INTRODUCTION tion (ICC) based privacy leaks, including Inter-Application 1 WiththegrowingpopularityofAndroid,thousandsofap- Communication (IAC) leaks. v plications(alsocalledapps)emergeeverydayontheofficial Other approaches use dynamic tracking to find privacy 1 Android market (Google Play) as well as on some alterna- leaks. Forinstance,TaintDroid[12]leveragesAndroid’svir- 3 tive markets. As of May 2013, 48 billion apps have been tualizedexecutionenvironmenttomonitorAndroidappsat 4 installed from the Google Play store, and as of September runtimein which it tracks howapplication leaks privatein- 7 3, 2013, 1 billion Android devices have been activated [1]. formation. CopperDroid [20] dynamically observes interac- . Researchers have shown that Android apps frequently send tions between the Android components and the underlying 4 theuser’sprivatedataoutsidethedevicewithouttheuser’s Linux system to reconstruct higher-levelbehavior. 0 4 prior consent [29]. Those applications are said to leak pri- A dynamic approach must send input data to the app 1 vate data. Android applications are made of different com- at runtime to trigger code execution. The input data may : ponents; most of the privacy leaks are simple and operate be incomplete and thus not execute all parts of the code. v within asingle component. Morerecently,cross-component Furthermore, some code may only be executed if precise Xi and also cross-app privacy leaks have been reported [26]. conditionsaremetatruntimesuchasadata. Inthispaper, Analyzing components separately is not enough to detect we focus on static analysis to avoid these drawbacks. The ar such leaks. Therefore, it is necessary to perform an inter- counterpart of static analysis is that it may yield an over- component analysis of applications. Android app analysts approximation since it analyzes all code even the one that could leverage such a tool to identify malicious apps that could neverbe executed. leak private data. For the tool to be useful, it has to be StatictaintanalysisforAndroidisdifficult. Despite highly preciseand minimizethefalse positiveratewhen re- the fact that Android applications are mainly programmed porting applications leaking privatedata. in Java, off-the-shelf static taint analysis tools for Java do Privacyleaks. Inthispaper,weuseastatictaintanaly- not work on Android applications. The tools need to be sis techniquetofindprivacyleaks, i.e., pathsfrom sensitive adaptedmainlyforthreereasons. Thefirstreasonisthat,as data, called sources, to statements sending the data out- already mentioned, Android applications are made of com- ponents. Communicationsbetween componentsinvolvetwo mainartifacts: Intent Filter andIntent. AnIntent Filter is attachedtoacomponentand“filters”Intents thatcanreach thecomponent. AnIntent isusedtostartanewcomponent by first dynamically creating an Intent instance, and then bycallingaspecificmethod(e.g. startActivity,startService) withtheintent previouslycreatedasparameter. Theintent isusedeitherexplicitlybyspecifyingthenewcomponentto call,orimplicitlybyforinstanceonlyspecifyingtheaction1 Table 1: The top 8 used ICC methods† toperform. Thelaunchofacomponentisperformedbythe ICC Method Counts(#.) Used Apps(#.) Android system which“resolves”the matching between In- startActivity 55802 (61.44%) 2765 (92.2%) startActivityForResult 11095 (12.21%) 1980 (66.0%) tent and Intent Filter at runtime. This dynamic resolution query 6606 (7.27%) 1601 (53.4%) done by the Android system induces a discontinuity in the startService 3942 (4.34%) 1077 (35.9%) control-flowofAndroidapplications. Thisspecificitymakes sendBroadcast 3472 (3.82%) 790 (26.3%) static taint analysis challenging by requiring pre-processing insert 2100 (2.31%) 615 (20.5%) of thecode toresolve links between components. bindService 1515 (1.67%) 644 (21.5%) The second reason is related to the user-centric nature delete 1238 (1.36%) 350 (11.7%) of Android applications, in which a user can interact a lot OtherICC Methods 5058 (5.57%) - through the touch screen. The management of user inputs Total 90828 (100%) - is mainly done by handling specific callback methods such † Methods with higher counts are selected when overload as the onClick method which is called when the user clicks methodsexist on a button. Static analysis requires a precise model that stimulates users’ behavior. fectiveness and accuracy of taint analysis tools specifically The third and last reason is related to the lifecycle man- for Android apps. The 26 apps cover the top 8 used ICC agement of the components. There is no main method as methodsillustrated in Table 1. in a traditional java program. Instead, the Android system Contributions. Tosummarize, wepresentthefollowing switchesbetweenstatesofacomponent’slifecyclebycalling original contributionsin thispaper: callback methods such as onStart, onResume or onCreate. However,theselifecyclemethodsarenotdirectlyconnected • A novel methodology to resolve the ICC problem by inthecode. ModelingtheAndroidsystemallowstoconnect directlyconnectingthediscontinuitiesofAndroidapps callback methods totherest of thecode. at thecodelevel. Our Proposal. The above challenges will unavoidably • IccTA,a tool for inter-componentdata-flow analysis. cause some discontinuities in the control-flow graph. To overcome theseissues, we present an Inter-componentcom- • AnimprovedversionofDroidBenchwith26newapps municationTaintAnalysistoolnamedIccTA2.IccTAallows to evaluatetools detectingICC based privacyleaks. a sound and precise detection of ICC and IAC links. This approachisgenericandcanbeusedforanydata-flowanaly- • An empirical study to evaluate IccTA over an aug- sis. InthispaperwefocusonusingIccTAtodetectprivacy mentedversionoftheDroidBenchtestsuite(available leaks. online3) and 3000 real-world Androidapplications. IccTA is based on three software artifacts: Epicc-IccTA, FlowDroid-IccTA and ApkCombiner. 2. BACKGROUND Epicc-IccTAextendsEpicc[19]whichcomputesICClinks between Androidcomponents. Epicc-IccTAleverages Epicc 2.1 Android ICC Methods toincrementallystorethecomputedICClinkstoadatabase AnAndroidapplicationismadeofbasicunits,calledcom- for conveniently analyzing a large set of apps. FlowDroid- ponents, described in a special file, called Manifest, stored IccTAextendsFlowDroid [4]. FlowDroid onlyfindsprivacy in the application. There are four types of components: a) leaks within single componentsof Android applications but Activitiesthat representtheuserinterface and arethevisi- not between components. ble part of Android applications; b) Services which execute FlowDroid-IccTA uses ICC links computed by Epicc to tasks in background; c) Broadcast Receivers that receive improve FlowDroid. Based on these computed links, Flow- messages from other components or the system, such as in- Droid-IccTAmodifiesAndroidapplications’codetodirectly coming calls or text messages; and d) Content Providers connect components to enable data-flow analysis between whichactasthestandardinterfacetosharestructureddata components. By doing this, we build a complete control- between applications. flow graph of the whole Android application. This allows Some specific Android system methods are used to trig- propagating the context between Android components and ger inter-component communication. We call them Inter- yielding a highly precise data-flow analysis. To the best Component Communication (ICC) methods. Those meth- of our knowledge, this is the first approach that precisely ods take as parameter a special kind of object, called In- connects componentsfor data-flow analysis. tent, which specifies the target component(s). We perform Finally, ApkCombiner helps analyzing multiple Android a short study to compute the usage rate of ICC methods. applicationsbycombiningmultipleappsintoonewhenthere We analyzed 3000 Android applications randomly selected existdataflowsbetweentheseapps. Thisresultsinhavinga from Google Play and other third party markets. Table 1 complete control-flow graph of the combined apps. This al- shows the top 8 most used ICC methods. The third col- lowstopropagatethecontextnotonlybetweencomponents umn represents the number of apps using at least once the of a single app but also between components of different corresponding ICC method. The most used ICC method is startActivity, used to launch a new Activity component, which accounts for59.2%ofthetotaldetectedICCmethods. All ICC methods take at least one Intent in their parameters to specify the target component(s). There are two InotherwordsitfindslinksfromICCmeth- Application 3 odstotheirtargetcomponents. Epiccreducesthediscovery ofICCinAndroidtoaninstanceoftheInterproceduralDis- Activity3 Activity5 tributiveEnvironment(IDE)problem[23]. Itusesdataflow IF: Action IF: Action analysistocomputeIntent valuesateveryICCmethodcall b c statements. Experiments show that Epicc identifies 93% of all ICC links and finds ICC vulnerabilities with far fewer Explicit ICC Implicit ICC false positives than thenext best tool. to Activity2 for actionb 3. MOTIVATINGEXAMPLE Figure 1: Explicit and Implicit ICC between Components of AndroidApplications. This section motivates our approach and illustrates the problemwesolvethroughaconcreteexample. Thisexample isdetailedinListing1,whichpresentscodeof Application 1introducedinFigure1. TheapphasthreeActivitycompo- ways tospecify ICC method’starget components. Thefirst nents represented by Activity1, Activity2 and Activity3 one is by explicitly specifying them by setting the name of classes. It also features ButtonOnClickListener a listener the target components through an Intent. The second one class used to handle button click events. Activity1 regis- is by implicitly specifying them by setting the action, cate- ters a button listener for the to2 button (lines 6-11) and gory anddata fieldsofanIntent. Inordertoreceiveimplicit Activity2 registers one for the to3 button(line 15). Intents, target components need to specify an Intent Filter in their application’s manifest file. Note that Intents can 1 //TelephonyManager telMnger; (default) transfer databetween components. 2 //SmsManager sms; (default) Again, we performed a short study on the 3000 apps to 3 class Activity1 extends Activity { compute the ratio between explicit and implicit Intents for 4 void onCreate(Bundle state) { 5 Button to2 = (Button) findViewById(to2a); the startActivity ICC method. Among the 55,802 star- 6 to2.setOnClickListener(new OnClickListener(){ tActivitymethodcalls,27978useexplicitintentsand27824 7 String id = telMnger.getDeviceId(); use implicit Intents. 8 Intent i = new Figure 1 represents three Android apps made of Activity Intent(Activity1.this,Activity2.class); 9 i.putExtra("sensitive", id); components. There is an explicit ICC from Activity1 to 10 Activity1.this.startActivity(i); Activity2 in Application 1. There are two implicit ICCs 11 });}} from Activity2 to Activity3 in Application 1 and from 12 class Activity2 extends Activity { 13 void onCreate(Bundle state) { Activity2 to Activity4 between Application 1 and Ap- 14 Button to3 = (Button) findViewById(to3a); plication 2. Note that the target components of implicit 15 to3.setOnClickListener(new ICC, Activity3 and Activity4, have an Intent Filter with ButtonOnClickListener(this)); 16 Intent i = getIntent(); the same action and category value as the Intent used in 17 String s = i.getStringExtra("sensitive"); Activity2. Each timethereis an ICC,theremay bea flow 18 sms.sendTextMessage(number,null,s,null,null); ofdatabetweencomponentsandpotentiallyaprivacyleak. 19 } 20 void onActivityResult(int,int,Intent){ 21 //log all the Extras of Intent 2.2 FlowDroid 22 }} 23 class Activity3 extends Activity { FlowDroid [4] is a context-, flow-, field-, object-sensitive 24 void onCreate(Bundle state) { andlifecycle-awarestatictaintanalysistoolforAndroidap- 25 Intent i = getIntent(); plications. FlowDroid is based on Soot [16] and Heros [8]. 26 String s = i.getStringExtra("sensitive"); 27 sms.sendTextMessage(number,null,s,null,null); Thecontext-,flow-,field-,object-sensitivesofFlowDroidare 28 }} guaranteed by the precise call-graph of Soot and the IFD- 29 class ButtonOnClickListener extends S/IDE [21, 23] based data-flow analysis of Heros. A special OnClickListener{ 30 //Activity act; (construct) mainmethod,whichconsidersallcombinationsoflifecycles, 31 void onClick(View view) { callbacks and entrypointsof Androidcomponentsis gener- 32 String id = telMnger.getDeviceId(); atedtomodeldataflowswithintheapplication. Thesources 33 Intent i = new Intent(); 34 i.setAction("test.ACTION"); //Action b and sinks used by FlowDroid are provided by SuSi [3], also 35 i.putExtra("sensitive", id); anopensourcedtoolusedtofullyautomaticallyclassifyand 36 act.startActivityForResult(i, 1); categorize Android sources and sinks. FlowDroid achieves 37 }} 93% recall and 86% precision when detecting data leaks on Listing 1: A Motivating Example Code DroidBench. FlowDroid has been mainly used on single component. However, with slight modifications, FlowDroid Whenbuttonto2 andto3 areclicked,theonClickmethod could also be used when multiple components are involved, is executedand theuser interface will change to Activity2 i.e.,forICCanalyses. Indeed,it’spossibletouseFlowDroid and to Activity3, respectively. In both cases, an Intent to compute paths for all individual components and then containingthedeviceID(lines7and32),consideredassen- combines all those paths together, whatever there is a real sitivedata,is sentbetween twocomponentsbyfirstattach- Stmt Sequence Epicc-IccTA FlowDroid-IccTA Source Sink ... Heros s0 s1 s2 s3 s4 s11 s12 Soot / Dexpler Tainted Path ApkCombiner Figure2: RepresentationofStatements,Source,Sink,State- ment Sequenceand Tainted Path. Figure 3: The architectureof IccTA ing the data to the intent with the putExtra method (lines ICC Method. An ICC method is used to trigger commu- 9, and 35) and then by invoking either startActivity or nication between two components. For example, method startActivityForResult (lines10and36). NotethatList- startActivity (line 10) is an ICC method which triggers ing1exemplifiesboththeuseofexplicitandimplicitintents. component communication from Activity1 to Activity2. At line 8, the intent is created by explicitly specifying the Tainted Stmt. A tainted statement contains at least one target class (Activity2). At line 34, only the intent action taintedpieceofdata. Forexample,i.putExtra("sensitive is specified with no explicit reference to thetarget. ",id)(line9)isastatementcontainingthetainteddataid. In this example, sendTextMessage is directly executed TaintedStmtSequence. Ataintedstmtsequenceisaflow- when Activity2 or Activity3 is loaded since onCreate is sensitive sequence of tainted stmt. For instance statements the first method in the lifecycle of an Activity. It sends at line 9 and 10 form a tainted statement sequence. the data retrieved from the Intent as a SMS to the speci- Tainted Path. A tainted path is a tainted stmt sequence fied phonenumber. where 1) More than one stmt exist in the tainted path; 2) In this code, two privacy leaks occur: one when button The first stmt contains a source method; 3) The last stmt to2 is clicked, the other when button to3 is clicked. When contains a sink method. Tainted Stmt, Tainted Stmt Se- to2 is clicked, the device ID is transferred from Activity1 quenceand Tainted Path are illustrated in Figure 2. to Activity2 (line10) and then Activity2 sendsit outside There are three types of tainted stmt paths in Android: theapplication (line18). Intra-Component Communication, Inter-Component Com- When to3 is clicked, the device ID is transferred (line munication (ICC) and Inter-Application Communication 36) from Activity2 to Activity35. Actually, the device (IAC) based tainted paths. ID(thesource)isretrievedinclassButtonOnClickListener Intra-Component Tainted Path. An intra-component instantiated by Activity2. Finally, Activity3 sends the taintedpathisataintedpathonlyhappeningwithinacom- device IDoutside theapplication (line 27). ponent. In our motivating example, there is no intra-com- Thesensitivedataleaksdescribedabovecrossestwocom- ponent tainted path. But if the startActivity call was ponents: they cannot directly be detected since there is no replaced with a call to sendTextMessage which sends the real code connection between startActivity and onCre- device id out of the application, there would be an intra- ate (lines 10 and 13) or between startActivityForResult component tainted path (line 7-10). and onCreate (lines 36 and 24). Section 5 describes our ICC based Tainted Path. An ICC based tainted path is approach to connect components to analyze paths between a tainted path among two or more components, i.e., there components and evenbetween applications. is at least one ICC method in the path. In our motivating example, there is an ICC based tainted path from source 4. DEFINITIONS method getDeviceId in Activity1 to sink method send- In order to better describe our approach, some android TextMessageinActivity2 throughthestartActivityICC method (line 10). and taint analysis related conceptsneed to be defined. IAC based Tainted Path. An IACbased tainted path is a Control-Flow Graph (CFG) Wedetectdataleaksbyana- tainted path between two or among more applications, i.e., lyzing control-flow graphs of Android applications. An ap- it has at least one ICCmethod between two componentsof plicationCFGconsistsofacollectionofmethodCFGslinked different applications. There is no IAC based tainted path together according to how theycall one another. Source Method. Asourcemethodreturnsdataconsidered inourmotivatingexample. ButiftheActivity4 inFigure1 asprivatefrom theuser’spointof viewintotheapplication sends the device id transferred from Activity2 out of the code. Forexample,methodgetDeviceId(line76)isasource application, then there is an IAC based tainted path from Application 1 toApplication 2. method returningthedevice ID. PrivacyLeaks. Ifataintedpathisdetected,itmeansthat Sink Method. A sink methodsendsdataout of theappli- aprivacyleakhasbeenfound. Inotherwords,someprivate cation. For example, method sendTextMessage (line 27) is data obtained from a source method can flow through the a sink method sending data to another phone using SMS. tainted path to a sink method. WeusesourcesandsinkscomputedforAndroidbytheSuSi tool [3]. 5. ICCTA 5As illustrated in Figure 1, Activity3 has the appropriate Intent Filter to catch the implicit Intent In this Section we describe IccTA, our tool to detect pri- 6All the line numbers described in this section is referring vacyleaksinAndroidapplications. Itusesstatictaintanal- to Listing 1 ysistodetectprivacyleaks. Themainchallengeforthisisto (1.2) Apk (1.1) Jimple FlowDroid Tainted Soot Analysis Paths Apk1 (2.1) Apk- Apk∗ (2.2) Jimple Combiner Soot (2.5) Jimple (2.6) Apk2 FloIwccDTrAoid- ++LICifCecycle FAlonwaDlyrsoiisd TPaaintthesd (2.3) Epicc ICC (2.4) Links + Callback Links Epicc-IccTA DB (2.3) Epicc Figure 4: Overviewof IccTA (down) and FlowDroid (up). solvethediscontinuitiesproblemintroducedbytheAndroid // modifications of Activity1 // modifications in Activity2 system. (A) IApcctSiCv.itrye1di.rtehcits0.(sit)a;rtActivity(i); pubtlhiics.Aicnttievnitt_yf2or(_Iinptcent= ii;) { We present the architecture of IccTA in Figure 3 where } public Intent getIntent() { newormodifiedcomponentaresurroundedbyadashedline. // creation of a helper class (C) return this.intent_for_ipc; class IpcSC { } IccTA is the combination of Epicc-IccTA and FlowDroid- static void redirect0(Intent i) { public void dummyMain() { IccTA. Epicc-IccTA relies on Epicc to incrementally com- (B) aA2c.tidvuimtmyy2Maian2()=;new Activity2(i); //// alriefeccyacllleedanhderecallbacks pute ICC links from Android apps. Both FlowDroid and } } } EpiccarebasedonSoot[16]andHeros[8]. Sootisaframe- work to analyze Java based applications. It uses the Dex- Figure 5: Code Modifications to Handle ICC Communica- pler[7]plugintoconvertAndroidDalvikbytecodetoSoot’s tion between Activity1 and Activity2. The startActivity internalrepresentationcalledJimpleandreliesonSpark[17] ICC method is replaced (A) by a call to code that instan- tobuildaccuratecallgraphs. Herosisascalableimplemen- tiates and calls the “main” method of Activity2 (B). The tationofIFDS[22]andIDE[23],twoframeworkstoperform target component class is updated to handle Intent objects data flow analysis. Analyzing multiple applications is done directly,by modeling theAndroid system behavior (C). using ApkCombiner. It combines multiple apps to a single one to ease theanalysis of IccTA. Figure 4 is a comparison between IccTA and FlowDroid. howFlowDroid-IccTAtacklesICCmethodsinSection5.1.1. FlowDroid (4 up) first converts the Android bytecode to Then,wedetailhowFlowDroid-IccTAresolveslifecycleand Jimple in step (1.1). Then, in step (1.2), it analyzes the callback methods in Section 5.1.2. Finally, using our moti- Jimple code to detect tainted paths in single Android com- vating example of Listing 1, we illustrate the code instru- ponents. mentation process in Section 5.1.3. IccTA (4 down) can analyze one or multiple Android ap- plications. If more than one application is analyzed, it uses 5.1.1 ICCMethods ApkCombinertomergetheAndroidapplicationsinasingle As shown in Figure 4, the ICC problem is solved at step application in step (2.1). The Android application’s byte- 2.5. ThisiswheretheJimplecodeisupdatedbyFlowDroid- code is then converted to Jimple in step (2.2). In parallel, IccTA to connect components. This code modification is Epicc-IccTA analyzes all the input applications (Apk1 and required for all ICC methods (listed in Table 1). We de- Apk2 intheFigure)togenerateICCLinksinstep(2.3)and tailthesemodificationsforthetwomostusedICCmethods: storestheresultstoadatabaseinstep(2.4). IccTAusesICC startActivity and startActivityForResult. We handle linksgenerated byEpicc-IccTAtoconnect Androidcompo- ICCmethodsforServicesandBroadcast Receiversinasim- nentsintheJimplecodeinstep(2.5). Steps(2.2) and(2.6) ilar way. correspondtoFlowDroid’ssteps(1.1)and(1.2): theJimple StartActivity. Figure 5 shows the code transforma- codeisupdatedtotakeintoaccountlifecyclesandcallbacks tion done by FlowDroid-IccTA for the ICC link between ofcomponentsandthetaintanalysisislaunchedtogenerate Activity1 and Activity2 of our motivating example. a list of tainted paths. FlowDroid-IccTA first creates a helper class named IpcSC (BinFigure5)whichactsasabridgeconnectingthesource 5.1 FlowDroid-IccTA:ReducingtheICCpro- anddestinationcomponents. Then,thestartActivityICC blem to anIntra-Component problem method is removed and replaced by a statement calling the Sincethereisnodirect codeconnectionbetween twoAn- generated helpermethod (redirect0) (A). droidcomponents,FlowDroid cannotdetectICCbasedpri- In(C),FlowDroid-IccTAgeneratesaconstructormethod vacy leaks with precision. In this section, we describe how takinganIntentasparameter,adummyMainmethodtocall FlowDroid-IccTA reduces the ICC problem to an intra- allrelatedmethodsofthecomponent(i.e.,lifecycleandcall- component problem on which FlowDroid can perform an back methods) and overrides the getIntent method. An highlyprecisedata-flowanalysis. Ourapproachinstruments Intent is transferred by the Android system from the caller theJimple code of Androidapplications toconnect compo- componenttothecalleecomponent. Wemodelthebehavior nentsdirectly in thecode. of the Android system by explicitly transferring the Intent As mentioned in the introduction, there are three types to the destination component using a customized construc- of discontinuities in Android: (1) ICC methods, (2) life- tor method, Activity2(Intent i), which takes an Intent cycle methods and (3) callback methods. We first describe as itsparameter andstores theIntenttoanewly generated fieldintent_for_ipc. Theoriginal getIntentmethodasks (A) aIcptcS.Cs.tarretdAicrteicvti0t(yaFcotr,Reis)u;lt(i); clsatsasticIpcvSoCid{redirect0(Activity a2, theAndroidsystemfortheincomingIntentobject. Thenew Intent i) { getIntent methodmodels theAndroidsystem behaviorby votihdis.seitnRteesnutl_tfo(rI_natren=t ii;) { (B) aA3c.tidvuimtmyy3Maian3()=;new Activity3(i); returning the Intent object given as parameter to the new a2.dummyMain(); Intent retI = a3.getIntentFAR(); (C) } a2.onActivityResult(retI); constructor method. public Intent getIntentFAR() { } The helper method redirect0 constructs an object of return this.intent_for_ar; } } type Activity2 (the target component) and initializes the newobjectwiththeIntentgivenasparametertothehelper Figure 7: An Example about running FlowDroid-IccTA to method. Then,itcallsthedummyMainmethodof Activity2. startActivityForResult ICC method. (A) represents the To resolve the target component, i.e., to automatically modifiedcodeof ButtonOnClickListenerand(C)themod- infer what is the type that has to be used in the method ified code of Activity3. (B) is the glue code connecting redirect0(inourexample,toinferActivity2),Flowdroid- ButtonOnClickListenerandActivity3. Somemethodpa- IccTA usestheICC linkscomputedbyEpicc-IccTA.Epicc- rameters are not represented tosimplify thecode. IccTA resolve the target component not only for explicit intents, but also for implicit intents. Therefore, there is no differenceforFlowdroid-IccTAtohandleexplicitorimplicit in the code of applications since the Android system han- intent based ICCs. dleslifecyclesandcallbacks. Forcallbackmethods,weneed StartActivityForResult. There are some special ICC to take care of not only the methods triggered by the User methods in Android, such as startActivityForResult. A Interface (UI) events (e.g., onClick) but also of callbacks component C1 can use this method to start a component triggeredbyJavaortheAndroidsystem(e.g.,theonCreate C2. Once C2 finishes running, C1 runs again with some method). InAndroid,everycomponenthasitsownlifecycle result data returned from C2. The control-flow mechanism methods. To solve this problem, IccTA generates a dummy- of startActivityForResult is shown in Figure 6. There Mainmethodforeachcomponentin whichwemodelallthe are two discontinuities: one from (1) to (2), similar to the methodsmentionedabovesothatourCFGbasedapproach discontinuity of the startActivity method, and the other is aware of them. Note that FlowDroid also generates a from (3) to (4). dummyMain method, but it is generated for the whole app The startActivityForResult ICC method has a more instead of for each component like we do. complex semantic compared to common ICC methods that only trigger one-way communication between components 5.1.3 TheCFGofinstrumentedmotivatingexample (e.g., startActivity). Figure 7 shows how the code is in- Figure 8 represents the CFG of the instrumented moti- strumentedtohandlethestartActivityForResultmethod vatingexample presented in Listing 1. In theCFG, getDe- inourmotivatingexample. Tostayconsistentwithcommon viceId is a source method in the anonymous OnClickLis- ICC methods, we do not instrument the finish method of tener class (line 6) called by Activity1. Method send- Activity3 to call onActivityResult method. Instead, we TextMessage is a sink in Activity2. There is an intra- generate a field intent_for_ar to store the Intent which component tainted statement path from thesource method will betransferred back toActivity2. TheIntent that will to sink method (representedby edges 1 to12). be transfered back is set by the setResult method. We Figure 8 also shows that IccTA builds a precise cross- override the setResult method to store the value of Intent component control-flow graph. Since we use an technique to intent_for_ar. The helper method IpcSC.redirect0 instrumenting the code to build the CFG, the context of a does two modifications to link these two components di- staticanalysisiskeptbetweencomponents. ThisenablesIc- rectly. First, it calls the dummyMain method of destination cTAtoanalyzedata-flowsbetweencomponentsandthereby component. Then,itcallstheonActivityResultmethodof enables IccTA to have a better precision than existing ap- thesource component. proaches. Activity2 Activity3 5.2 ApkCombiner: ReducinganIACproblem to anICC problem Activity2 EntryPoint Activity3 EntryPoint In Android, Inter-Application Communication (IAC) is 2 similar to Inter-ComponentCommunication (ICC). Indeed, startActivityForResult setResult IAC also relies on component communication, except that 1 thesourcecomponentandthedestinationcomponentbelong Android to different applications. Ifwe can connect applications, an System IAC Problem becomes a standard ICC Problem. 4 3 Analyzing Multiple Applications. As shown in Fig- onActivityresult finish ure4,FlowDroidcanonlyanalyseoneapplicationatatime. Therefore,wedevelopatool,ApkCombiner,tocombinemul- tipleappsintoone. ApkCombinercombinesall thepartsof Figure 6: The control-flow mechanism of startActivity- Android apps including bytecodes, assets, manifest and all ForResult theresources. Then,weuseIccTAtoanalyzethecombined app to compute IAC based privacy leaks. As FlowDroid- 5.1.2 LifecycleandCallbackMethods IccTAhandlesthecombinedapplicationasasingleapplica- One challenge when analyzing Android applications is to tions,itonlydetectsICCbasedprivacyleaks. Todistinguish tackle the callback methods and the lifecycle methods of ICCleaks from IACleaks, IccTAchecksif allstatementsof components. There is no direct call among those methods thetainted path belong to thesame application or not. Stringid=telMnger.getDeviceId(); (4) this.intentforipc=i; (9) returnthis.intentforipc; (1) Activity2a2=newActivity2(i); Intenti=getIntent(); i.putExtra(”sensitive”,id); (5) (10) (8) (2) (3) return-site; return-site; ipcSC.redirect0(i); (6) onCreate(null); (11) (7) a2.dummyMain(); Strings=i.getStringExtra(”sensitive”); return-site; return-site; (12) return-site; sendTextMessage(s); normaledge call-to-startedge call-to-returnedge exit-to-returnedge Figure 8: The control-flow graph of theinstrumentedmotivatingexample Reducing the Number of Combined Apps to An- 6.1 RQ1: IccTA vs FlowDroid and Commer- alyze. In practice, when increasing the number of appli- cial Tool cations to analyze, and if all those applications are com- WeevaluateandcompareIccTAwithFlowDroidandIBM bined with ApkCombiner,theprocessing time and memory AppScanSource9.0onDroidBenchtotestforICCandIAC requirement of FlowDroid-IccTA also grows. To solve this leaks. Unfortunately, we were unable to compare IccTA to problem, we need to decrease the number of Android apps other static analysis tools as their authors did not make tocombine. OursolutionistobuildanIACgraph,wherea them available. node is an application and an edge a link, to represent the DroidBench. DroidBench[2]isasetofhandcraftedAn- dependencies between applications. The idea behind being droidapplicationsforwhichallleaksareknowninadvance. that if there is no link between two applications there is no Thefactofknowingallleaksintheapplicationsiscalledthe need to combinethem. ground truth andisusedtoevaluatehowwellstaticanddy- The IAC graph is made up of small independent IAC namicsecuritytoolsfinddataleaks. DroidBenchversion1.2 (sIAC)graphs(connectedcomponents). GivenasIACgraph, contains 64 different test cases with different privacy leaks. ApkCombiner combines all the nodes (apps) in it into one However, all the leaks in DroidBench are intra-component app,thenIccTAextractsleaksfromtheresultingapp. How- privacyleaks. Thus,wedeveloped26appsand23testcases ever, in some case, if a sIAC graph still contains a lot of toextendDroidBenchwithICCandIACleaks. Atestcase nodes. Thiswillalsolimitourapproachtobescalable. Our is applied on one application to test for ICC and on two solutionistolimitthelength(howmanyappsareinvolved) applicationstotest forIAC.Intotal,18appscontaininter- of an IAC leak7. For example, If a sIAC graph contains 10 component privacy leaks and 6 apps contain inter-app pri- nodes (where Ai is connected to Ai+1, i ∈ {1,9}) and the vacy leaks. The new set of test cases coverseach of thetop length limitation is set to five. Then, the sIAC graph is 8 ICC methods in Table 1. Moreover, among the 26 new split into five sIACs (e.g., one sIAC is from A2 to A6) that apps, two of them do not contain any privacy leaks. If a IccTA can analyze. The trade-off limitation length enables tool detects privacy leaks on these two apps, the detected our approach to become scalable. leaksarefalsealarms. Finally,foreachtestcaseapplication AnothergoodpointofbuildinganIACgraphisthatnew weaddanunreachablecomponentcontainingasink. These applications can be added to the graph in an iterative and unreachable components are used to flag tools that do not incremental manner. When new appsare involved,we only properly construct links between components. runthemagainstEpicc-IccTAandaddthemtotheexisting The23testcasesarelistedinthefirstcolumnofTable2. IACgraph. Wedonotneedtorunthepreviouslycomputed IccTA.WerunIccTAonallthe23testcases. Theresults apps again when adding thenewapps to theIACgraph. areshowninTable2. IccTAsuccessfullypasses18testcases, In short, by building an IAC graph, the original set of with 17 test cases containing 19 privacy leaks and one test Android applications is split into multiple small sets that case (startActivity5) with no leak. IccTA can analyze. Amongthedetectedprivacyleaks, threeofthemareIAC based privacy leaks and the remaining ones are ICC based 6. EVALUATION privacy leaks. In the startActivity5 test case, the source Ourevaluationaddressesthefollowingresearchquestions: componentusesanimplicitintentwithdatatypetext/plain to start anotheractivity. However, noother activity in this RQ1 HowdoesIccTAcomparetocommercialtaint-analysis testcasedeclaresthatitcanreceiveanintentwithdatatype toolsforAndroidandFlowDroid intermsofprecision text/plain. That means there is no connection among the and recall? components in startActivity5 test case. As IccTA takes RQ2 Can IccTA find leaks in real-world applications and into consideration the data type of an intent it does not how fast is it? report any privacyleak for this test case. ThestartActivity4testcasedoesnotcontainanyleaks. RQ3 How do IccTA compare to other academic ICC leak However, IccTA does report a false warning. The reason is detection approaches? that the source component uses an implicit intent with an 7In practice we have not seen a leak going through more URI to start another activity. Since IccTA relies on Epicc than 2 apps. which does over-approximate URIs links, it reports a false Table 2: DroidBench test results ⋆ = correct warning, ⋆= false warning, = missed leak leak. multiplecircles in onerow: multiple leaks expected The current version does not take into account Content all-empty row: no leaks expected,nonereported Providers. ThisiswhyIccTAmissesleaksfortheinsert1, † C/A: # of Components/ # of Applications delete1, update1, and query1 test cases. All the four test Test Case (C/A)† FlowDroid AppScan IccTA cases are related to Content Provider. Inter-ComponentCommunication FlowDroid. FlowDroid has been evaluated on the first startActivity1(3/1) ⋆ ⋆ ⋆ ⋆ ⋆ version of DroidBench in [4]. In table 2, we present the re- startActivity2(4/1) ⋆ (4⋆) ⋆ (4⋆) ⋆ sults of FlowDroid on the new 23 test cases. As already startActivity3(6/1) ⋆ (32⋆) ⋆ (32⋆) ⋆ explained, FlowDroid has been initially proposed to detect startActivity4(3/1) ⋆ ⋆ ⋆ ⋆ ⋆ leak in single Android component. However, we can use startActivity5(3/1) ⋆ ⋆ ⋆ ⋆ FlowDroid in a way that it computes paths for all individ- startForResult1 (3/1) ⋆ ⋆ ⋆ ualcomponentsandthencombinesall thosepathstogether startForResult2 (3/1) ⋆ ⋆ (whateverthereisareallinkornot). Asaresult,weexpect startForResult3 (3/1) ⋆ ⋆ ⋆ startForResult4 (3/1) ⋆ ⋆ ⋆ ⋆ ⋆ ⋆ that FlowDroid detects most of the leaks but yields several startService1 (3/1) ⋆ ⋆ ⋆ ⋆ ⋆ false positives. Results of Table 2 confirm this expectation: startService2 (3/1) ⋆ ⋆ ⋆ ⋆ ⋆ FlowDroid has a high recall (69.6%) and a low precision bindService1(3/1) ⋆ ⋆ ⋆ ⋆ ⋆ (23.9%). FlowDroid misses three more leaks than IccTA in bindService2(3/1) ⋆ bindService{2,3,4}. After investigation, we discover that bindService3(3/1) ⋆ FlowDroiddoesnotconsidersomecallbackmethodsforser- bindService4(3/1) ⋆ ⋆ ⋆ ⋆ ⋆ ⋆ vice components. sendBroadcast1 (3/1) ⋆ ⋆ ⋆ ⋆ ⋆ AppScan. AppScan Source 9.0 requires a lot of man- insert1 (3/1) delete1 (3/1) ual initialization work since it has no default sources/sinks update1(3/1) configuration fileand is unableto analyze Androidapplica- query1(3/1) tions without specifying the entry points of every compo- Inter-AppCommunication nents. We define the getDeviceId and log methods, that startActivity1(4/2) ⋆ ⋆ ⋆ ⋆ ⋆ we always use in DroidBench for ICC and IAC leaks, as startService1 (4/2) ⋆ ⋆ ⋆ ⋆ ⋆ source and sink, respectively. We also add all components’ sendBroadcast1 (4/2) ⋆ ⋆ ⋆ ⋆ ⋆ entrypointmethods(suchasonCreateforactivities)ascall- Sum,Precision, Recall and F1 backmethodssoAppScanknowswheretostarttheanalysis. ⋆ , higher is better 16 13 19 ⋆, lower is better 51 49 1 AppScanisnativelyunabletodetectinter-componentdata- , lower is better 7 10 4 flowsandonlydetectsintra-componentflows. AppScanhas Precision ⋆/( ⋆ + ⋆) 23.9% 21.0% 95.0% the same drawbacks as FlowDroid and should have a high Recall ⋆/( ⋆ + ) 69.6% 56.5% 82.6% recall and low precision on DroidBench. We use an addi- F1 2 ⋆/(2 ⋆ + ⋆+ ) 0.36 0.31 0.88 tional script to combine the flows between components. As expected AppScan’srecall is high (56.5%) and its precision low(21.0%). ComparedtoFlowDroid,AppScandoesworse. foundoutthat17(11.6%)arefalsepositives. Inotherwords, Indeed, AppScan does not correctly handle startActivi- IccTAachievesaprecisionof88.4% onreal-wordapps. The tyForResult and thus misses leaks going through methods false positives comes from Epicc that generates false posi- receiving results from the called activities in startForRe- tives for linksbetween components. sult{2,3,4}. We summarize the frequently used source methods and Conclusion. IccTA outperforms both the commercial sink types(Javaclasses)inTable3fromthe425appshaving taint-analysis tool AppScan 9.0 and FlowDroid in terms of at least one leak. Note that we only count such source and precision and recall. sink methods that appear in the detected leaks. The most used source method is openConnection and it is used 601 6.2 RQ2: IccTA and Real-WorldApps times in 169 apps. The most used sink types is Log and it WeruntheexperimentsonaCorei7CPUrunningaJava is used 2755 times in 261 apps. The reason why we study VM with 8 Gb of heap. To evaluate our approach, we use sink typesinstead ofsink methodsisthattherearealot of IccTA to analyze 3000 Android apps downloaded from the sink methods in a same sink type. Take the Log sink type Google Play market as well as some third-party markets as an example, there are eight sink methods which log the (e.g., wandoujia). IccTA process 3000 apps in about 100 privatedata todisk. hours. IccTA does not detect any leak for 2575 (85.83%) Letusdescribeindetailsthreeleaks,oneforeachtypeof applications. IccTAreports425applicationscontainingpri- leak. vacy leaks. Among the 425 apps, 411 apps only contain Intra-componentleak: bz.prana.myphonelocator. I- intra-componentleaksand14appscontainatleastoneICC ccTAdetectsanintra-componentprivacyleakstartingfrom leak. Fromthose14apps,13containbothintra-component the getLongitude source method in method onLocation- leaksandICCleaks. IccTAdetects6989IAClinks. Among Changedofclass.SMSReceiver$MyLocationListener8. The thoseIccTAdetectsoneIACleak. Thisresultindicatesthat location is sent out of the app through SMS by the send- components do communicate and share data, but it is rare TextMessagesink methodinmethodsmsReplyofclass.SM- that an inter-application leak occurs. SReceiver. Theappisdesignedtosendthelocationoutside For intra-app leaks, IccTA detects 5986 leaks in the 425 apps. Amongthedetectedleaks,147(2.5%)areICCprivacy 8The package name is omitted when the class name starts leaks. We manually check the 147 reported ICC leaks and with thepackagename Table 3: The top 5 used source methodsand sink types Activity2 finish Method/Type Counts(#.) Detail SourceMethods openConnection 601 http connection ButtonOnClickListener Activity4 getLongitude 514 longitude getLastKnownLocation 448 Location getDeviceId 403 IMEI or ESN startActivityForResult Activity3 getCountry 265 country code SinkTypes Log 2755 error orwarn Figure9: Theproblemofusingpathmatchingapproachfor URL 821 execute startActivityForResult SharedPreferences 717 putInt,putString Message 339 sendTextMessage File 9 write(string) nent, the context of the analysis is lost when SCanDroid andSEFAcombinethetaintpaths,sincetheanalysisisper- formedbeforethecombinationofthepaths. IccTAdoesnot thedevicethroughSMS.However, todistinguish theinten- presentthisproblembecauseitconnectsthecomponentsat tion of detected privacy leaks is out of scope of this paper. thecodelevelandthenperformstheanalysis. Thus,itkeeps We takeit as ourfurtherwork. the data-flow between two components. Losing the context ICC leak: com.dikkar.ifind. An ICC based privacy decreases the precision of the tool. Indeed, an Intent can leak is detected by IccTA on this application. In method carrydata,i.e.,itmaycontainalotofextraskey/valuepairs onLocationChanged of class .iFindPlaces, the getLongi- but only part of them are sensitive. A precise tool needsto tude source method is called and returns the location of distinguishthemtoavoidfalsepositive. Forapathmatching the Android phone. Then, the location is transferred to approach,itisnoteasytodistinguishthembecausetheydo another component named .PlaceDetail, where method b not keep the state of Intent when matching two available of class j is called. In method b, a sink method Log.d paths. logs the location into disk with ServiceHandler tag name. Second, some specific ICC methods such as startActiv- To verify the detected leaks, we developed an Android ap- ityForResult are difficult to handle with a matching al- plication named LogParser. By giving the permission an- gorithm. It will become even worse when the special ICC droid.permission.READ_LOGS 9, LogParser reports all the methodsexistinaclasswhichisinvokedbymultiplecompo- locations logged by Find Places. nents. Suppose a component Activity4 also uses the class IACleak: com.bi.mutabaah.id to jp.benishouga.cl- ButtonOnClickListenershowninListing1tocommunicate ipstore. An IAC leak is reported by IccTA between app withothercomponents. WepresentthisscenarioinFigure9. com.bi.mutabaah.id and app jp.benishouga.clipstore. ApathmatchingapproachfirstfindsapathfromstartAc- The source method findViewById is called in component tivityForResult to Activity3. After the finish method com.bi.mutabaah.id.activity.Statistic, wherethedata of Activity3 is called, the onActivityResult method of ofaTextViewisobtained. Thenthedataisstoredintoanin- the source component is invoked by the Android system. tentwithtwoextrasnamedandroid.intent.extra.SUBJECT The problem is that it is difficult to know which compo- and android.intent.extra.TEXT. Afterthat,startActiv- nent (Activity2 or Activity4) is the source because they ityisusedtosendthedatatoappjp.benishouga.clipsto- both usethesame class ButtonOnClickListener where the re,whichextractsthedatafromtheintentwiththesameex- Intent is created. In fact, It is very difficult to statically tranamesandwritesallthedataintoafilenamedclip.txt resolve this problem since it is caused by the mechanism of underpath /data/data/jp.benishouga.clipstore/files. dynamic binding of Android (or Java). In our approach, Conclusion. IccTA finds leaks in real-world apps in a IccTA resolves this problem by explicitly calling theappro- reasonable amount of time. Nevertheless, IccTA only de- priate onActivityResult method (see Figures 6 and 7) of tects a single IAC leak. This is an indication that inter- the source component (Activity2 or Activity4) thanks to application leaks are rare. thehelper class IpcSC. Conclusion. Even if we were not able to evaluate state- 6.3 RQ3: ComparewithOtheracademicTools of-the-arttoolsdetectingICCleaks(SCanDroidandSEFA), We identify two academic tools able to deal with ICC IccTA seems to be more precise mainly because it keeps leaks: SCanDroid [13] and SEFA [26]. However, ScanDroid the context between components unlike path matching ap- fails to report any leaks and SEFA is not available. As a proaches. result, we were not able toevaluate them on DroidBench. To answer the research question, we focus and discuss 7. LIMITATIONS somekeyaspectsofthevariousapproaches. SCanDroidand In thissection, we discussthe limitations of IccTA. SEFA both use a path matching approach, which computes FlowDroid. IccTA is based on FlowDroid to perform pathsforallindividualcomponentsandthencombinessome statictaintanalysisandtherebysharesthesamelimitations pathstogether,thedecisionofcombiningtwopathsornotis of FlowDroid. IccTA resolves reflective calls only if their given by a matching algorithm. A path matching approach argumentsarestringconstants. Itisalsooblivioustomulti- presents at least two main drawbacks. threading. We experienced that FlowDroid cannot prop- First, even if the taint analysis is done for each compo- erly analyze some apps (too much memory consumption or 9Startingfrom Android4.1 itisnomoregrantedtoregular hangs). We start by analyzing a set of 5000 and keep only apps, but it can still be granted to either vendor apps or 3000 apps that work with FlowDroid. RunningIccTA on a apps runningon rooted phones. big server could significantly decrease the numberof falling analysis. Moreover, we are very confident that the next re- SEFA useamatchingapproach toanalyzeinter-component lease of FlowDroid will resolve thisproblem. leaks. SCanDroid defines all the methods importing data Epicc. IccTA relies on Epicc to compute links between toanappasinflow methodsandallthemethodsexporting components. Since Epicc does not handle URIs, it fails to datafromanappasoutflow methods. Then,itmatchesthe find ICC links for ContentProvider and yields false pos- inflow andtheoutflow methodstoconnecttwocomponents. itives for the other three types of components when they SEFA defines ICC methods as bridge-sinks to distinguish communicateusingURIs. Inpracticethenumberoflinksis with the sensitive-sinks. It uses the bridge-sinks to match huge due to the false positives. We check the links (intents with othercomponentsandtherebyconnectingtwo compo- and intent filters) and only keep theones not using URIs. nents. Aswe mentioned before, the matchingapproach has IccTA.AtthemomentIccTAdoesnothandlesomerarely some drawbacks compared to our instrumenting approach. usedICCmethodssuchassendActivitiesorsendOrdered- Therefore, even if we were not able to evaluate SCanDroid BroadcastAsUser. Data send between component with an andSEFAonDroidBench,itcomesthatIccTAismorepre- intent, is represented as key/value pairs. When a tainted cise by design. data is put in the intent, IccTA taints all key/value pairs. AsDroid [15] and AppIntent [28] are another two tools This could result in false positives if a tainted data is put usingstaticanalysistodetectprivacyleaksinAndroidapps. in an intentand, in thereceivingcomponent, anon-tainted Both of them try to analyze the intention of privacy leaks. data is retrieved from theintentand flows to a sink. Analyzingtheleakingintentionisoutofscopeofthispaper. Native Code. Some Android application are packaged However, we think it is necessary to distinguish whether a withnativecode. IccTAonlyanalyzesthedexfilecontaining privacy leak is intended or not. We takethis as our further theDalvik bytecode. work. DynamicAnalyses. Dynamictaintanalysestechniques, 8. RELATED WORK on the other hand, track sensitive data at runtime. Taint- Droid [12] is one of the most sophisticated dynamic taint As far as we know, IccTA is the first approach to seam- tracking systems. It tracks flows of private data of third- lesslyconnectAndroidcomponentsthroughcodeinstrumen- party apps. CopperDroid [20] is another dynamic testing tation in order to perform ICC based static taint analy- tool which observes interactions between the Android com- sis. By using a code instrumentation technique, the state ponents and the Linux system to reconstruct high-level be- of the context and data (e.g. an Intent) is transferred be- havior and uses some special stimulation techniques to ex- tween components. To the best of our knowledge, there is ercisetheapptofindmaliciousactivities. Severalothersys- nootherexistingstatic approachtodetect Androidprivacy tems,includingAppFence[14],Aurasium[27],AppGuard[5] leaks tackling the ICC problem and keeping state between and BetterPermission [6] try to mitigate the privacy leak components. problem bydynamically monitoring thetested apps. Static Analyses. There are several approaches using However,thosedynamicapproachescanbefooledbyspe- static analysis to detect privacy leaks. PiOS [11] uses pro- cial designed methods to circumvent security tracking [24]. gram slicing andreachability analysistodetectthepossible Thus, dynamic tracking approaches may miss some data privacy leaks. TAJ [25] uses the same taint analysis tech- leaksandyieldanunder-approximation. Ontheotherhand, nique to identify privacy leaks in web applications. How- staticanalysisapproachesmayyieldanover-approximation ever, these approaches introduce a lot of false positives. becausealltheapplication’scodeisanalyzedevencodethat CHEX [18] is a tool to detect component hijacking vulner- willneverbeexecutedatruntime. Bothapproachesarecom- abilities in Android applications bytracking taintsbetween plementary when analyzing Android applications for data sensitive sources and externally accessible interfaces. How- leaks. ever,itislimitedtoatmost1-object-sensitivitywhichleads to imprecision in practice. LeakMiner and AndroidLeaks 9. CONCLUSION state the ability to handle the Android Lifecycle including This paper addresses the major challenge of performing callbackmethods,butthetwotoolsarenotcontext-sensitive data-flow analysis across multiple components or multiple which precludes the precise analysis of many practical sce- applications. We have presented IccTA10, an ICC based narios. FlowDroid[4]introducesahighlyprecisetaintanal- taint analysis tool able to perform such analysis. In partic- ysis approach with low false positive rate, but it does not ular, we demonstrate that IccTAcan detect ICC based pri- identify ICC based privacy leaks. IccTA performs an ICC vacy leaks by providing a highly precise control-flow graph based static taintanalysis byinstrumentingthecode ofthe throughinstrumentationofthecodeofapplications. Unlike original app while keepingtheprecision high. previousapproaches,IccTAenablesadata-flowanalysisbe- ComDroid [10] and Epicc [19] are two tools that tackle tween two components and adequately models the lifecycle ICC problem, but they mainly focus on ICC vulnerabilities and callback methods to detect ICC based privacy leaks. and do not taint data. When runningIccTA on DroidBench, it reaches a precision SCanDroid [13] is a tool for analyzing ICC based privacy of95.0%. WhenrunningIccTAonthreethousandsapplica- leaks. It prunes all call edges to Android OS methods and tions randomly selected from the Google Play store as well conservativelyassumes thebaseobject, theparametersand other third-party markets, it detects 130 inter-component the return value to inherit taints from arguments. This ap- based privacy leaks in 12 applications. Other existing pri- proach ismuchlessprecisethanourtoolsincewemodelall vacy detecting tools (e.g., AndroidLeaks) could benefit by theAndroidOS methods(exceptnativemethods) with our implementingourapproach to perform ICCand IACbased dummy main method in the control-flow graph. Another privacy leaks detection. tool SEFA [26] also resolves the ICC problem. It performs a system-wide data-flow analysis to detect possible vulner- 10Our experimental results and IccTA itself are available at abilities (e.g., passive content leaks). Both SCanDroid and https://sites.google.com/site/icctawebpage.