DidFail: a Free Android Tool to Detect Information Leakage

by Sergio De Simone on Jul 08, 2014 |

CERT Secure Coding team have recently released a freely available tool capable of analysing the leakage of sensitive information from an Android app. CERT researchers claim their tool "is the most precise taint-flow static analysis tool for Android apps."

CERT work addresses the problem of leakage of information from a sensitive source to a restricted sink. Leakage of sensitive information may happen when, e.g., a user installs an app that leaks the user's contact list (the source) to some unauthorized party (the sink). This is a typical problem of information flow analysis. A security issue also exists in case the data flow occurs in the opposite direction, e.g., when untrusted data is sent to a place that’s supposed to store only high-trusted data that’s been sent by an authorized source.

To address such kind of concerns, CERT researchers designed and implemented DidFail (Droid Intent Data flow Analysis for Information Leakage), a freely downloadable tool that combines and augments two existing Android tools for dataflow analysis: FlowDroid, which identifies intra-component taint flows; and Epicc, which identifies properties of intents such as its action string.

The advantage of DidFail over FlowDroid, states CERT researcher Will Kiebler, is that while the latter only focuses "on information that flows in a single component of an app", DidFail "analyses potentially tainted flows between apps and, within a single app, between multiple components." According to Kiebler, a way of explaining what DidFail does is that it "takes the original APK and adds a unique identification to each place in the code where the APK sends an intent." This unique identifier is then used to "match the output of Epicc with the output of FlowDroid."

Work on DidFail is not finished yet, says Kiebler. The tool can generate "false positives that are caused by a coarse-grained approach to detecting information flows between apps." More importantly, DidFail focuses exclusively on Android intents as the method of data communication across applications and does not consider other Android IAP mechanisms, such as directly querying Content Providers, reading from and writing to an SD card, and using communication channels (e.g., sockets or the Binder) implemented by the underlying Android Linux operating system.

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

General Feedback
Marketing and all content copyright © 2006-2016 C4Media Inc. hosted at Contegix, the best ISP we've ever worked with.
Privacy policy

We notice you're using an ad blocker

We understand why you use ad blockers. However to keep InfoQ free we need your support. InfoQ will not provide your data to third parties without individual opt-in consent. We only work with advertisers relevant to our readers. Please consider whitelisting us.