Affiliation:
1. Systems and Computing Engineering Department, Universidad de los Andes, Bogotá, Colombia
2. Singapore University of Technology and Design, Singapore
Abstract
Android stores and users need mechanisms to evaluate whether their applications are secure or not. Although various previous works use data and control flow techniques to evaluate security features of Android applications, this paper extends those works by using Jif to verify compliance of information flow policies. To do so, the authors addressed some challenges that emerge in Android environments, like automatizing generation of Jif labels for Android applications, and defining translations for Java instructions that are not currently supported by the Jif compiler. Results show that a Jif-based analysis is faster and has a better recall than other available mechanisms, but it also has a slightly lower precision. Jif also provides an open source compiler, generates executable code for an application only if such application meets a defined policy, and checks implicit flows which may be relevant for highly sensitive applications.
Reference33 articles.
1. Andriatsimandefitra, R., Geller, S., & Viet Triem Tong, V. (2012). Designing information flow policies for Android's operating system. International Conference on Communications ICC. Android Developers. Retrieved from http://developer.android.com
2. BBC News. (March, 2012). Mobile firms back new GSMA app privacy guidelines. Retrieved from http://www.bbc.com/news/technology-17178954
3. Bhosale, A. (2014). Precise static analysis of taint flow for android application sets [Master’s thesis]. Carnegie Mellon University, Heinz College.
4. Language-based security on Android
5. Chong, S., Myers, A., Vikram, K., & Zheng, L. (2014). Retrieved 2015. Jif: Java + information flow: http://www.cs.cornell.edu/jif/doc/jif-3.3.0/language.html#unsupported-java