Blogs (1) >>
ASE 2019
Sun 10 - Fri 15 November 2019 San Diego, California, United States
Tue 12 Nov 2019 13:40 - 14:00 at Hillcrest - Mobile 2 Chair(s): Myra Cohen

In the past, researchers have developed a number of popular taint-analysis approaches, particularly in the context of Android applications. Numerous studies have shown that automated code analyses are adopted by developers only if they yield a good “signal to noise ratio”, i.e., high precision. Many previous studies have reported analysis precision quantitatively, but this gives little insight into what can and should be done to increase precision further.

To guide future research on increasing precision, we present a comprehensive study that evaluates static Android taint-analysis results on a qualitative level. To unravel the exact nature of taint flows, we have designed COVA, an analysis tool to compute partial path constraints that inform about the circumstances under which taint flows may actually occur in practice.

We have conducted a qualitative study on the taint flows in 1,022 real-world Android applications. Our results reveal several key findings: Many taint flows occur only under specific conditions, e.g., environment settings, user interaction, I/O. Taint analyses should consider the application context to discern such situations. COVA shows that few taint flows are guarded by multiple different kinds of conditions simultaneously, so tools that seek to confirm true positives dynamically can concentrate on one kind at a time, e.g., only simulating user interactions. Lastly, many false positives arise due to a too liberal source/sink configuration. Taint analyses must be more carefully configured, and their configuration could benefit from better tool assistance.

Slides (A Qualitative Analysis of Android Taint-Analysis Results) (COVA-ASE19-Talk-public.pdf)1.57MiB

Tue 12 Nov

Displayed time zone: Tijuana, Baja California change

13:40 - 15:20
Mobile 2Research Papers / Journal First Presentations at Hillcrest
Chair(s): Myra Cohen Iowa State University
13:40
20m
Talk
A Qualitative Analysis of Android Taint-Analysis Results
Research Papers
Linghui Luo Paderborn University, Eric Bodden Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEM, Johannes Späth Fraunhofer IEM
Pre-print File Attached
14:00
20m
Talk
Goal-Driven Exploration for Android Applications
Research Papers
Duling Lai University of British Columbia, Julia Rubin University of British Columbia
Pre-print
14:20
20m
Talk
RANDR: Record and Replay for Android Applications via Targeted Runtime Instrumentation
Research Papers
Onur Sahin Boston University, Assel Aliyeva Boston University, Hariharan Mathavan Boston University, Ayse Coskun Boston University, Manuel Egele Boston University, USA
14:40
20m
Talk
Specifying Callback Control Flow of Mobile Apps Using Finite Automata
Journal First Presentations
Danilo Dominguez Perez Iowa State University, Wei Le Iowa State University
Link to publication
15:00
20m
Talk
MalScan: Fast Market-Wide Mobile Malware Scanning by Social-Network Centrality Analysis
Research Papers
Yueming Wu Huazhong University of Science and Technology, Xiaodi Li University of Texas at Dallas, Deqing Zou Huazhong University of Science and Technology, Wei Yang University of Texas at Dallas, Xin Zhang Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology
Pre-print