Dynamic Study of Android Application Programming Paradigms and their Security Implications

A plethora of research on Android have been exclusively focused on security and privacy issues in the Android software ecosystem, especially Android app security, yet there are very little insights into how Android applications have been commonly built and into the environments in which those applications execute. With the proliferation of its user base and popularity in the mobile and personal computing arena, Android apps need to be dissected and characterized with respect to a general understanding of their programming paradigms and runtime behaviours. Gaining such understandings is critical as it will enable more effective development of both Android apps themselves and better security defense solutions for securing them.

DroidFax is a toolkit dedicated to offering an experimental framework for the dynamic characterization of Android apps. To help deliver a characterization more representative of the latest Android framework features, DroidFax targets the latest release of the Android SDK (version 6.0 / API level 23 / Marshmallow). Its core consists of a lightweight static analysis that mainly instruments the Dalvik bytecode of a given app for call profiling and ICC monitoring, and a lightweight dynamic analysis that collects and then analyzes generated call and ICC traces. It also includes a pre-processing phase taking charge of benchmark apps downloading and ICC-based app pairing based on the ICC resolution results obtained using a third-party tool. The last part of DroidFax computes three categories of metrics from the traces: general metrics, ICC metrics, and security metrics. (the detailed metric definition)

This is the project homepage for DroidFax, where you can find the usage information and downloads of source code and all other inputs needed by the toolkit. DroidFax is implemented on top of our Android data-flow analysis and instrumentation library duafdroid, which is based on the Soot byte-code analysis and optimization framework. Both duafdroid and Soot on which DroidFax depends can be downloaded on this page as well, using the links as follows.

How to use DroidFax

Release Download

Source Code

You can obtain the source code on DroidFax source repository, where all necessary inputs to DroidFax are hosted too (e.g., our manual callback categorization and our manually improved source and sink categorization).

Study Results

Inter-App Benchmark Suite

As a result of our study, we obtained a suite of Android app pairs in which the two apps have been confirmed to have inter-app ICCs that can be easily exercised with random inputs. We list the package names of each two apps and exercised inter-app ICC statistics.

DroidFax Artifact Package with a usage-demo virtual machine

The package includes all artifacts about this study and the toolkit DroidFax. The Virtual Machine therein provides an easy way to explore the artifact and use the toolkit. Detailed instructions can be found in the README files within the artifact.zip.

View DroidFax Video Demo

Download DroidFax Demo Video

More details and preliminary results can be found in a technical report for this project.