Taint Analysis of Fragments in Android Applications

doi:10.3969/j.issn.1006-2475.2017.07.008

Abstract

Abstract: Nowadays, mobile devices have become an important part of peoples life, which also brings many novel security problems. Normally mobile devices store lots of users’ private data such as contacts’ information, which could be utilized by malwares leading to data leaks. Existing taint analysis tools of Android applications cannot deal with Fragment API, this paper designs a method based on simulation of Fragment lifecycles and static taint analysis to inspect the potential data leaks in Fragments of Android applications. The experiment results verify the effectiveness of the method.

Key words: Android, taint analysis, Fragment, lifecycle

CLC Number:

TP311.5

HU Wang-sheng. Taint Analysis of Fragments in Android Applications[J]. Computer and Modernization, doi: 10.3969/j.issn.1006-2475.2017.07.008.

References

［1］Fritz C. FlowDroid: A precise and scalable data flow analysis for Android［D］. Technische Universitt Darmstadt, 2013.
［2］Reps T, Horwitz S, Sagiv M. Precise interprocedural data flow analysis via graph reachability［J］. Lecture Notes in Computer Science, 1995,167(96):49-61.
［3］Soot. A Framework for Analyzing and Transforming Java and Android Applications［EB/OL］. https://sable.github.io/soot/, 2016-09-01.
［4］Einarsson A, Nielsen J D. A Survivor’s Guide to Java Program Analysis with Soot［EB/OL］. http://www.brics.dk/SootGuide/sootsurvivorsguide.pdf, 2008-07-17.
［5］Google Inc. Android API Guides: App Components［EB/OL］. https://developer.android.com/guide/components/index.html, 2016-09-01.
［6］Yang Zhemin, Yang Min. LeakMiner: Detect information leakage on Android with static taint analysis［C］// Proceedings of the 3rd World Congress on Software Engineering. 2012:101-104.
［7］Gibler C, Crussell J, Erickson J, et al. Androidleaks: Automatically detecting potential privacy leaks in Android applications on a large scale［C］// Proceedings of the 5th International Conference on Trust and Trustworthy Computing. 2012:291-307.
［8］Fuchs A P, Chaudhuri A, Foster J S. ScanDroid: Automated Security Certification of Android Applications, Technical Report CS-TR-4991［R］. Department of Computer Science, University of Maryland, College Park, 2009.
［9］Lu Long, Li Zhichun, Wu Zhenyu, et al. CHEX: Statically vetting Android Apps for component hijacking vulnerabilities［C］// Proceedings of the 19th ACM Conference on Computer and Communications Security. 2012:229-240.
［10］ Zhao Zhibo, Osono F C C. TrustDroid: Preventing the use of smartphones for information leaking in corporate networks through the used of static analysis taint tracking［C］// Proceedings of the 7th International Conference on Malicious and Unwanted Software, 2012:135-143.
［11］Arzt S, Rasthofer S, Fritz C, et al. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android Apps［C］// Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. 2014:259-269.
［12］WikiPedia. APK［EB/OL］. http://zh.wikipedia.org/wiki/APK, 2016-09-01.
［13］DroidBench. A micro-benchmark suite to assess the stability of taint-analysis tools for Android［DB/OL］. https://github.com/secure-software-engineering/DroidBench, 2016-09-01.
［14］King D, Hicks B, Hicks M, et al. Implicit flows: Can’t live with ‘em, can’t live without ‘em［C］// Proceedings of the 4th International Conference on Information Systems Security. 2008:56-70.

[1]	LIU Ya-wei, WANG Jun-min, LIU Wei. Longitudinal Fragments Stitching Method Based on Correlation Matrix [J]. Computer and Modernization, 2019, 0(10): 43-.
[2]	ZHANG Jun-wei1, WANG Hao-jie1, WANG Zi-chen2, LI Yan-juan1. Astronomy and Celestial Phenomena Real-time Viewing#br# and Forecasting System Based on Android [J]. Computer and Modernization, 2019, 0(06): 104-.
[3]	SUN Bing-lin, ZHUANG Yi. An Android Malicious Code Detection Mechanism Based on Native Layer [J]. Computer and Modernization, 2019, 0(05): 1-.
[4]	LIYin,LUOHai-biao,LIUDong-cheng,OUYANGYun-xiong,CHENJian-bin,YUANFeng. Inthepresentsociety,foodsecurityincidentsemergeoneafteranother.Foodsecurityissuehasbecomeanimportantsocialissue.Foodtraceabilityhasproventobeaneffectivemethodforfoodsafety.Thispaperdesignsafoodelectronictraceabilityplatformbasedondistributionframework.Theplatformcanprovideproductionandmanagementserviceforfoodenterprise,forwardandbackwardtraceabilityofthewholecycleoffoodproductionandcirculationforsupervisiondepartments,andvariousmethodsoffoodtraceabilityforthepublic.Bybuildingaunifiedcommoditycirculationdatapoolthatcollectsallthedataamongproduction,circulationandsupervisingdepartments,notonlytheproductionandcirculationinformationofthefoodproductcanbetraced,butalsoitsinspectionandquarantineinformation.ThedatabaseanddatainterfaceoftheplatformisdevelopedbasedonthefoodelectronictraceabilitystandardsformulatedbytheNationalFoodandDrugAdministration.Itsinterfacestandardizationandcompatibilitywithotherfoodtraceabilityplatformscanthusbeguaranteed.TheplatformcurrentlyisrunningatGuangdongprovince.Keysupervisingproductsofinfantformulafoods(includingmilkpowder,riceflour,farina,etc),editableoilandliquoraretraceablebythisplatform.ThepubliccanusetheGuangdongfoodtraceabilityportal,mobileAPP,Wechatortheself-serviceterminalsinthesupermarketstotracefoodproductsbyscanningorinputtingitstraceabilitycodeoritsproductcode,andqueryinformationaboutfoodenterpriselicense,inspectionandquarantine,marketandcirculation,etc.Forproductwithtraceabilitycode,itsauthenticitycanbeverified.Itwillhelptoprovidehealthsafetytothepublicandpromoteconsumerconfidence. [J]. Computer and Modernization, 2018, 0(06): 116-.
[5]	WANG Tian-hua1, LENG Lu2, YUAN Ming-wen3. Palmprint Recognition System on Mobile Devices Based on Dual-point Assistance [J]. Computer and Modernization, 2018, 0(03): 112-.
[6]	XIAO Cheng-wang, LU Jun, YU Li-geng. Design and Verification of New Defense Model for Android Mobile Phone Access Vulnerability [J]. Computer and Modernization, 2017, 0(9): 56-60,119.
[7]	DONG Guo-Liang1,2, ZANG Lie1, LI Hang1, GAN Lu1. A Path Automatic Generation Method for Dynamic Taint Analysis [J]. Computer and Modernization, 2017, 0(7): 32-37+41.
[8]	LIU Zhi-wei1, DONG Zheng-hong2, YANG Fan2, LI Meng-wei1. A Customized PDF Reader Based on Android Platform [J]. Computer and Modernization, 2017, 0(6): 72-75+90.
[9]	ZHONG Xi-wu, XU Chun-yu, HUANG Yi-tao, HUANG Zhen. Museum Visiting and Guiding System Based on ZigBee [J]. Computer and Modernization, 2017, 0(6): 76-79+102.
[10]	WANG Zhi-hua, KONG Jian-shou, GAO Yuan. Development of Mobile Visible Monitoring and Control System for Intelligent Substation [J]. Computer and Modernization, 2017, 0(5): 56-596,66.
[11]	ZHANG Gao-zhen, LIU Yuan-bo, ZHANG Xian-kun. Food Science Popularization Knowledge Software Based on Android [J]. Computer and Modernization, 2017, 0(2): 113-116.
[12]	ZHANG Chun, YUAN Tian-ning. Design of Multi-source and Heterogeneous Data Fusion Framework for Integrated Lifecycle Management of EMU [J]. Computer and Modernization, 2017, 0(10): 36-41.
[13]	LIANG Wei-wei1， YIN Zhao-hui1， MU Rui-fen2， JIN Shuo1， WANG Bing1. Wireless Falling Weight Deflectometer Measurement Software Based on Android [J]. Computer and Modernization, 2016, 0(6): 49-52,58.
[14]	LI Jin-hua1, ZHEN Hui2, HUANG Hai1, YAO Jian3. Android Client for Dynamic ECG Monitoring System Based on BLE [J]. Computer and Modernization, 2016, 0(4): 114-122.
[15]	ZHANG Zhen, ZHANG Long. Research and Implementation of Native Layer Reinnforcement #br# Technology Based on Android Platform [J]. Computer and Modernization, 2016, 0(10): 88-91.