BT
x Your opinion matters! Please fill in the InfoQ Survey about your reading habits!

DidFail: a Free Android Tool to Detect Information Leakage

by Sergio De Simone on Jul 08, 2014 |

CERT Secure Coding team have recently released a freely available tool capable of analysing the leakage of sensitive information from an Android app. CERT researchers claim their tool "is the most precise taint-flow static analysis tool for Android apps."

CERT work addresses the problem of leakage of information from a sensitive source to a restricted sink. Leakage of sensitive information may happen when, e.g., a user installs an app that leaks the user's contact list (the source) to some unauthorized party (the sink). This is a typical problem of information flow analysis. A security issue also exists in case the data flow occurs in the opposite direction, e.g., when untrusted data is sent to a place that’s supposed to store only high-trusted data that’s been sent by an authorized source.

To address such kind of concerns, CERT researchers designed and implemented DidFail (Droid Intent Data flow Analysis for Information Leakage), a freely downloadable tool that combines and augments two existing Android tools for dataflow analysis: FlowDroid, which identifies intra-component taint flows; and Epicc, which identifies properties of intents such as its action string.

The advantage of DidFail over FlowDroid, states CERT researcher Will Kiebler, is that while the latter only focuses "on information that flows in a single component of an app", DidFail "analyses potentially tainted flows between apps and, within a single app, between multiple components." According to Kiebler, a way of explaining what DidFail does is that it "takes the original APK and adds a unique identification to each place in the code where the APK sends an intent." This unique identifier is then used to "match the output of Epicc with the output of FlowDroid."

Work on DidFail is not finished yet, says Kiebler. The tool can generate "false positives that are caused by a coarse-grained approach to detecting information flows between apps." More importantly, DidFail focuses exclusively on Android intents as the method of data communication across applications and does not consider other Android IAP mechanisms, such as directly querying Content Providers, reading from and writing to an SD card, and using communication channels (e.g., sockets or the Binder) implemented by the underlying Android Linux operating system.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT