IIFA: Modular Inter-app Intent Information Flow Analysis of Android Applications
Android apps cooperate through message passing via intents. However, when apps have disparate sets of privileges inter-app communication (IAC) can accidentally or maliciously be misused, e.g., to leak sensitive information contrary to users’ expectations. Recent research has considered static program analysis to detect dangerous data leaks due to inter-component communication (ICC), but suffers from shortcomings for IAC with respect to precision, soundness, and scalability. To solve these issues we propose a novel pre-analysis for static ICC/IAC analysis. Using a database of summary information concerning intent communication we perform a fixed-point iteration of ICC/IAC summary information to precisely resolve intent communication involving two or more apps. We integrate the results of our pre-analysis with information flows generated by a baseline (i.e. not considering intents) information flow analysis, and resolve if sensitive data is flowing (transitively) through components/apps in order to be ultimately leaked. Our main contribution is the first fully automatic sound and precise ICC/IAC information flow analysis that is scalable for realistic apps due to modularity, avoiding combinatorial explosion: Our approach determines communicating apps using short summaries rather than inlining intent calls between components and apps, which requires simultaneously analyzing all apps installed on a device. We evaluated our tool IIFA in terms of scalability, precision, and recall. Using benchmarks we establish that precision and recall are not negatively impacted by our pre-analysis approach with respect to prominent state-of-the-art analyses for ICC/IAC. But foremost, applied to the 90 most popular applications from the Google Playstore, IIFA demonstrated its scalability to a large corpus of real-world apps. IIFA reports 62 problematic ICC-/IAC-related information flows via two or more apps/components.
|IIFA: Modular Inter-app Intent Information Flow Analysis of Android Applications (ECOOP_Poster2019.pdf)||1.16MiB|