APPLADroid: Automaton based inter-app privacy leak analysis for android

Abstract

An app named “Aqua Mail” is a Google play store app with millions of downloads. It allows the user to manage Google account mails. For caching purposes, it stores the mails in a content provider protected with a custom permission rather than Android defined permission to access mails (MANAGE_ACCOUNTS). Another app named “Enhanced SMS and call” can access mails directly by obtaining the permission of reading the custom content provider of Aqua Mail. Google is not aware of the fact that any other app is accessing the mails. In order to detect such flows, a precise inter-app analysis is needed to identify leakage from source in one app to sink in another app. In this paper, we present an extension of a static analysis technique named SniffDroid to detect the inter-app privacy leaks in Android. Our technique models Android apps and Android permissions as the automaton and utilizes the intersection property of automaton to detect privacy leakage. To assess the performance of the proposed approach, we analyzed Droidbench samples, self-made apps and Google playstore apps. We created novel samples of leakage through a chain of apps and analyzed them using open-source existing state-of-art approaches. We found that none of them could detect the leakage paths. The proposed approach detects the inter-app privacy leakage with 100% accuracy. © Springer Nature Singapore Pte Ltd. 2019.