The Detection Of Privacy Data Leakage Of Android-Based Applications

Android-based smart phones store a large amount of users' privacy data.The leakage of these privacy data will cause the user to suffer economic losses and personal injury.However,the third-party application markets are filled with a large number of Android malwares or software with vulnerabilities at present.But the existing detection technologies are mainly for Android software vulnerability scanning,lacking of effective methods to detect users' privacy data leakage.Therefore,according to the characteristics of privacy data leakage,we proposed corresponding methods of privacy leakage detection for Android-based applications.And we designed and implemented a detection system to detect the privacy data leakage of Android-based applications.The main contributions are as follows:(1)We summarized the Android applications privacy data leakage characteristics,and divided the leakage ways into two categories:privacy data leakage of sensitive data flow and privacy data leakage of vulnerability code.The first one includes single-component privacy data leakage and inter-component privacy data leakage.The latter includes debuggable/allowBackup vulnerability,exposed component and API misuse vulnerability.(2)According to the characteristics of privacy data leakage of sensitive data flow,we adopted a method combining the static analysis and taint analysis with dynamic testing to detect privacy leakage.Firstly,we constructed the Android application's control flow graph and function call graph.Secondly,we used data flow analysis based on the control flow graph and functions call graph,mark and track tainted data,then got the potential privacy data leakage paths and collected the application component configurations,Intent and some other relevant information.Finally,we constructed effective test data with the collected information to test the target application dynamically and verify the results of static analysis.(3)According to the characteristics of privacy data leakage of vulnerability code,we combined the characteristics matching with dynamic testing method for vulnerabilities detection.By detecting the Android application configuration file,we matched the debuggable/allowBackup vulnerability and exposed components.Then we repacked the application and inserted tags of exposed components.Next,we combined with the monitoring of system API to test the accessibility of exposed components and recorded the information when the components were triggered.Finally,we summarized the misuse of the API list,and located the API the misuse vulnerability based on the data flow analysis.(4)We designed and implemented the tool named LeakDroid for the privacy data leakage detection.We used the tool to detect 300 Android applications,which cover the categories of games,social networking,news and other categories,and found a total of 389 privacy leakage of vulnerability code as well as 49 privacy leakage of sensitive data flow.Moreover,according to the detection result of sample application LeakTest.apk,we compared our result with four online detection platform's results and FlowDroid's security report.These results showed that our work for detecting the privacy data leakage of Android-based applications is effective and practical.