Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of 2018
DOI: 10.1145/3236024.3236029
|View full text |Cite
|
Sign up to set email alerts
|

Do Android taint analysis tools keep their promises?

Abstract: In recent years, researchers have developed a number of tools to conduct taint analysis of Android applications. While all the respective papers aim at providing a thorough empirical evaluation, comparability is hindered by varying or unclear evaluation targets. Sometimes, the apps used for evaluation are not precisely described. In other cases, authors use an established benchmark but cover it only partially. In yet other cases, the evaluations differ in terms of the data leaks searched for, or lack a ground … Show more

Help me understand this report
View preprint versions

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

1
44
0

Year Published

2019
2019
2024
2024

Publication Types

Select...
3
2
2

Relationship

1
6

Authors

Journals

citations
Cited by 74 publications
(45 citation statements)
references
References 23 publications
1
44
0
Order By: Relevance
“…Two of the observed URLs were related to advertising distribution services, i.e., http://media.admob.com (283, 2.4%) and https: //pagead2.googlesyndication.com (271, 2.3%). 8 We found that the http URL scheme (7 208 occurrences, 61%) is much more prevalent than its secure counterpart https (4 531 occurrences, 38%). Besides findings of the two common schemes we found few appearances of the ws (WebSocket) protocol (4 occurrences, 0.0%), which provides (unprotected) full-duplex communication on top of HTTP TCP connections.…”
Section: B the Nature Of Web Api Requestsmentioning
confidence: 81%
See 1 more Smart Citation
“…Two of the observed URLs were related to advertising distribution services, i.e., http://media.admob.com (283, 2.4%) and https: //pagead2.googlesyndication.com (271, 2.3%). 8 We found that the http URL scheme (7 208 occurrences, 61%) is much more prevalent than its secure counterpart https (4 531 occurrences, 38%). Besides findings of the two common schemes we found few appearances of the ws (WebSocket) protocol (4 occurrences, 0.0%), which provides (unprotected) full-duplex communication on top of HTTP TCP connections.…”
Section: B the Nature Of Web Api Requestsmentioning
confidence: 81%
“…2) Detection and extraction: In principal, we need to track flows of data in relevant APIs, and several static analysis frameworks exist to track data flows in Android apps. Nevertheless, in our experience as well as according to recent studies, these tools may not perform as described in the relevant papers [7], [8], [9]. We therefore decided to implement our own lightweight analysis tailored to reconstruct web APIs in the code.…”
Section: B Api Minermentioning
confidence: 99%
“…They also established the representativeness of Ghera benchmarks (in terms of API usage) [15]. Pauck et al [13] developed ReproDroid, a tool to help verify the authenticity of Android app vulnerability benchmarks. They found that not all claims about the presence/absence of vulnerabilities in benchmarks in DIALDroid, DroidBench, and ICCBench benchmark suites were true.…”
Section: Motivationmentioning
confidence: 99%
“…DroidBench [13] contains 211 benchmarks. Each benchmark is an Android app that captures zero or more information leak vulnerabilities.…”
Section: Benchmarksmentioning
confidence: 99%
See 1 more Smart Citation