Static Data Flow Analysis for Android Applications

Mobile phones have become important daily companions for millions of people which help to organize both their private and their professional lives. Having access to data such as the calendar or the address book anywhere, anytime, has become commonplace. Sensor data such as the phone’s GPS location and accelerometer help users navigate through the physical world. Users can furthermore extend the functionality of their phone using small programs called apps from various developers and vendors in an open ecosystem. Undoubtedly, having all this data merged on a device that is always-on and always-connected and that can easily be extended with new software greatly improves user convenience. On the other hand, it also poses new questions with regard to privacy and security. Apps may misuse the data stored on the phone or obtained from the sensors to infringe upon the user’s privacy. In fact, companies already now use location data and app usage statistics to build user profiles for the purpose of targeted advertisement. The user is oftentimes unaware of these data leaks originating from his phone and has little means for analyzing the actual behavior of a given app with regard to privacy. Static data flow analysis has been proposed as a means for automatically enumerating the data flows inside a program. Still, either do not support Android’s platform-specific semantics or fall short on precision, recall, or scalability. In this thesis, we therefore propose techniques for efficiently and precisely performing static data flow analysis on real-world binary-only Android apps with large code sizes. We present the FLOWDROID tool and show that it can detect data leaks in popular apps such as Facebook, Paypal, and LinkedIn. The FLOWDROID reports improve the user’s digital sovereignty by allowing his to asses the behavior of the app before installing it on his device and thereby entrusting it with his personal data. We allow the user to verify which of his data leaves the device and how. On the DROIDBENCH micro-benchmark suite, we show that FLOWDROID achieves a precision of more than 87% and a recall of over 84%, thereby outperforming state-of-the-art tools from academia and industry. Additionally, FLOWDROID has already been used as a building-block for many other works in the field.