DidFail: a Free Android Tool to Detect Information Leakage
CERT Secure Coding team have recently released a freely available tool capable of analysing the leakage of sensitive information from an Android app. CERT researchers claim their tool "is the most precise taint-flow static analysis tool for Android apps."
CERT work addresses the problem of leakage of information from a sensitive source to a restricted sink. Leakage of sensitive information may happen when, e.g., a user installs an app that leaks the user's contact list (the source) to some unauthorized party (the sink). This is a typical problem of information flow analysis. A security issue also exists in case the data flow occurs in the opposite direction, e.g., when untrusted data is sent to a place that’s supposed to store only high-trusted data that’s been sent by an authorized source.
To address such kind of concerns, CERT researchers designed and implemented DidFail (Droid Intent Data flow Analysis for Information Leakage), a freely downloadable tool that combines and augments two existing Android tools for dataflow analysis: FlowDroid, which identifies intra-component taint flows; and Epicc, which identifies properties of intents such as its action string.
The advantage of DidFail over FlowDroid, states CERT researcher Will Kiebler, is that while the latter only focuses "on information that flows in a single component of an app", DidFail "analyses potentially tainted flows between apps and, within a single app, between multiple components." According to Kiebler, a way of explaining what DidFail does is that it "takes the original APK and adds a unique identification to each place in the code where the APK sends an intent." This unique identifier is then used to "match the output of Epicc with the output of FlowDroid."
Work on DidFail is not finished yet, says Kiebler. The tool can generate "false positives that are caused by a coarse-grained approach to detecting information flows between apps." More importantly, DidFail focuses exclusively on Android intents as the method of data communication across applications and does not consider other Android IAP mechanisms, such as directly querying Content Providers, reading from and writing to an SD card, and using communication channels (e.g., sockets or the Binder) implemented by the underlying Android Linux operating system.
Brandon Holt, Preston Briggs, Luis Ceze, Mark Oskin May 21, 2015
Kai Kreuzer, Olaf Weinmann May 21, 2015