Path-Sensitive Analysis of Message-Controlled Communication for Android Apps

To support quality development of Android apps, a variety of techniques have been produced for analyzing the exchange of messages, i.e., Intents, among Android components. Intents and their payloads can cause a variety of operations to be performed, and can be filled with malicious data, demonstrating that Intents can serve as attack vectors of an insecure app. Intents may further guard or control execution of different program paths, which may contain vulnerable, faulty, or energy-inefficient code. While different techniques have focused on determining possible Intents in an app, none have focused on analyzing Intents per program path, i.e., path-sensitive Intent analysis. Analyzing a program per path allows the determination of the attributes of Intents needed to control execution of a program from its message-based inter-component interface. Unfortunately, analyzing apps in a path-sensitive manner faces scalability issues. To address these challenges, we introduce a novel, scalable framework called PHENOMENON (PatH-sEnsitive aNalysis Of MEssage-coNtrOlled communication for aNdroid apps). We evaluate the accuracy of PHENOMENON’s path-sensitive analysis on five apps with 4KSLOC–460KSLOC, over a total of 4,100 program paths, achieving an accuracy of over 96% for each app. To evaluate PHENOMENON’s efficiency, we assess it on 100 randomly selected apps, demonstrating an average runtime of 30 seconds, with no app taking more than 180 seconds to analyze.

The PHENOMENON tool and subject apps, for the accuracy experiments and benchmarks for internal testing purposes, are available here.

phenomenon_workspace.tar.gz contains a pre-built version of PHENOMENON with all its dependencies, and its source code. Simply extract the phenomenon_workspace/ directory and cd to the phenomenon/ directory within it. Make sure that edud.sh is executable. You can run it by executing:

$ ./edud.sh <path to apk>

This will generate a set of output files in the phenomenon/logs/ directory. If the APK supplied is named com.ghostsq.commander_308.apk, and parallelism is disabled, the following logs are generated:
edu.uci.seal.path.analyses.extradata.ExtraDataUseDriver-com.ghostsq.commander_308.apk-pool-1-thread-1.log
edu.uci.seal.path.analyses.extradata.ExtraDataUseDriver-com.ghostsq.commander_308.apk-main.log


Running edud.sh -h shows help options for parallelism and path upper-bounding.

To view an example of the Intent information and path expressions generated, please see the document available here. The app from which the example is generated, multi_action_test_app, is available in the subject_apps/benchmark_subjects/ directory in the Dropbox link above.

If you would like to build PHENOMONENON, you can either load the project to IntelliJ IDEA, or simply run the following command from the phenomenon/ directory:

$ ant -f phenomenon.xml

For a more detailed breakdown of errors regarding our accuracy experiments, see the spreadsheet here. For each app package, we show the programming-language class containing the error, the line number around which the error occurs (if applicable), and some comments regarding the error.

If you prefer not to regenerate the experimental logs (e.g., the *pool-1-thread-1.log and *main.log files), you can find the accuracy experiment logs in the exp_logs/ folder in the Dropbox link above.

If you need more help, please find my contact info here, and let me know how I may help.