Lifting Inter-App Data-Flow Analysis to Large App Sets

– Supplementary Web site –

Overview





Uni Logo

Chair of Software Engineering

Chalmers University

IT University of Copenhagen

Overview

This Web site provides supplementary material for the paper "Lifting Inter-App Data-Flow Analysis to Large App Sets", submitted to FSE 2016. The paper describes a variability-aware approach for analysis of privacy leaks between android apps. On this page we provide access to the tool, SIFTA, developed in this project and documentation on the experiments.

Tools

In our experiments, we compare our tool, SIFTA against other state-of-the-art tools. SIFTA has been developed by Niklas Schalck Johansson and Mikael Mark Hardø during their master thesis. We compare it against Didfail and IccTA. Both can be used to detect privacy leaks as described in the paper. The tools can be obtained from the following Web sites: SIFTA: https://github.com/Dyrborg/SIFTA. Didfail: https://www.cs.cmu.edu/~wklieber/didfail/. IccTA: https://sites.google.com/site/icctawebpage/.

Experiments -- Accuracy

To evaluate the accuracy of SIFTA, we conducted experiments with benchmark sets for privacy flow analysis on android apps. For these experiments we used the "precision" branch of SIFTA.

IACBenchA benchmark set developed by us. Focus on inter-app communication.
ICC-BenchA benchmark set developed by the authors of Amandroid, yet another tool for app flow analysis.
DroidBenchA well known benchmark set for flow analysis in android apps. We used the branch "iccta" in which most relevant apps were provided by the authors of IccTA.

Experiments -- Scalability

In a second set of experiments we evaluated the scalability of SIFTA on real-world apps. For these experiments we used the "scalability" branch of SIFTA. We used three different sets of android apps:

IccREA set of 445 apps that are known to leak privacy data through inter-component communication.
MalGenomeA set of 1260 malware apps collected by the Android Malware Genome Project .
PlayStore setA set of 164324 apps that we downloaded from the google play store. We used relations in metadata of downloaded apps to add new apps to the download queue, starting with the facebook app. This provides us with a huge set of apps well distributed over the app store.

How to use SIFTA

To help with using SIFTA, we prepared a small script that downloads and sets up SIFTA. A second script can be used to download DroidBench and run SIFTA on the benchmark. Both scripts can be downloaded from this link.

First ensure that all required packages are installed on your system (python, graphviz, ...) github.com/.../SIFTA/.../setup on clean ubuntu 14.04. Then, run ./setup.sh from the Sifta_test_env.tar.gz archive. After setup, you can run ./test_DroidBench.sh to download DroidBench and evaluate SIFTA.

Downloads

The only set of experiment apps that is not publicy available is the PlayStore set. Unfortunately we cannot permanently put this set on our webserver as it is very big (1030 GB). Even an archive that contains only the results has already 6.5 GB. Please contact us directly to obtain these archives. We provide a list of the apk names in this set. Furthermore, we provide a list of how often each app occurs in data flows reported by SIFTA and a list of apps that occur in the middle of flows. These lists identify high-risk apps that are of special interest for securing app stores. We also provide histograms of the path lengths in the graphs computed in the experiments E3 and E4.
  • Setup and test scripts
  • List of apks in the PlayStore app set
  • List of how often apps occur in reported flows
  • List of apps that occur in the middle of reported flows
  • Histogram of the path lengths in the graphs computed in the experiments E3 and E4
  • SIFTA
  • Didfail
  • IccTA

    Contact

    The paper "Lifting Inter-App Data-Flow Analysis to Large App Sets" has been written by Alexander von Rhein, Thorsten Berger, Niklas Schalck Johansson, Mikael Mark Hardø, and Sven Apel. For questions regarding the paper, please contact the authors.

    • Alexander von Rhein (University of Passau)
    • Thorsten Berger (University of Gothenburg / Chalmers University of Technology)
    • Niklas Schalck Johansson (ITU Copenhagen)
    • Mikael Mark Hardø (ITU Copenhagen)
    • Sven Apel (University of Passau)