FlowDroid – Taint Analysis

FlowDroidFlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications. Unlike many other static-analysis approaches for Android we aim for an analysis with very high recall and precision. To achieve this goal we had to accomplish two main challenges: To increase precision we needed to build an analysis that is context-, flow-, field- and object-sensitive; to increase recall we had to create a complete model of Android’s app lifecycle.

Our analysis is based on Soot and Heros. FlowDroid uses a very precise callgraph which helps us to ensure flow- and context-sensitivity. Its IFDS-based flow functions guarantee field- and object-sensitivity. Because an accurate and efficient alias search is crucial for context-sensitivity in conjuction with field-sensitivity, we want to highlight this part of our analysis, which is inspired by Andromeda. The following code example shows how our approach tracks aliases:
aliasFlow
We want to analyze if there is a connection from source to the sink. We start with the first line of the main method and analyze each statement successively. Note that in (3) a taint is assigned to a field (x.f) which starts a backward analysis. Now the statements are examined in the reverse order and we learn that z.g.f, a.g.f and b.f are aliases of x.f. The sink method takes b.f as input parameter, so there is a source-to-sink connection.

Furthermore, FlowDroid needs a complete modeling of Android’s lifecycles and callbacks. Because sources and sinks for Android are provided by SuSi, we only have to look for entry points. Along with necessary meta information they are extracted from Android’s manifest file, dex files and layout xml files. The latter allow us to consider user interaction callbacks defined in XML (for example button clicks) and discover additional sources in terms of password fields. Because user interaction cannot be predicted statically, FlowDroid generates a special main method which considers all possible combinations to make sure no taint is lost.

FlowDroid achieves 93% recall and 86% precision on DroidBench, our own Android benchmark suite. Despite its high precision FlowDroid is still capable of analyzing real-world applications and also performs well on SecuriBench Micro, a testsuite originally designed for web applications.

Are there any publications on FlowDroid?

FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps (Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves le Traon, Damien Octeau and Patrick McDaniel). To appear at PLDI’14.

Highly Precise Taint Analysis for Android Applications (Christian Fritz, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves le Traon, Damien Octeau and Patrick McDaniel), EC SPRIDE Technical Report TUD-CS-2013-0113, May 2013.

FlowDroid: A Precise and Scalable Data Flow Analysis for Android (Christian Fritz), Master thesis, TU Darmstadt, July 2013.

Where can I find the source-code of FlowDroid?The source code consists of two projects on Github, along with its dependencies:

aec-badge-pldi

See the Wiki page on Github for information on how to build and run FlowDroid. There, you can also find links to nightly builds of all required JAR files which is the most convenient way to try out FlowDroid. If you have any questions, please contact Steven Arzt or Siegfried Rasthofer.

 

Which source/sinks lists can I use to configure FlowDroid?

The most comprehensive lists are the ones computed by our SuSi tool. They are available for download here.