Flowdroid

  • DroidBench: an open test-suite for evaluating the effectiveness and accuracy of taint-analysis tools for Android apps
  • Source, sink model
  • “Apps consist of different components with a distinct lifecycle”.
    • callbacks
    • metadata
  • To increase precision: context-, flow-, field- and object-sensitive
  • To increase recall: create a complete model of Android app lifecycle
  • “Flow-sensitivity”: the order of statements
  • Abstract:
    • Source, sink, and entry-point detection: parse manifest file, parse .dex files, parse layout XMLs.
    • Generate main method, build call graph, perform taint analysis
  • Limitations:
    • Reflection analysis
    • Unsoundness
    • Multi-threading