A permission-carrying security policy and static enforcement for information flows in Android programs

Abstract

To detect information leaks in Android programs, existing taint analysis approaches usually specify and enforce (statically or dynamically) the two-level information flow policy, represented by a lattice ({⊤,⊥},⊑) with ⊥⊑⊤. However, this policy leaves permissions (an access control mechanism built in the Android system) out of consideration, causing a too coarse-grained analysis result in some scenarios. In fact, the existing information flow controls should integrate permissions to develop a more refined flow policy. Following this intuition, in this paper, we propose a permission-carrying secure information flow policy and accomplish a static enforcement mechanism for this policy. We first devise a small language to capture typical features of Android programs. On this base, we define the permission-carrying security policy using a subset lattice of permissions, and offer a group of rules to certify the security of information flows. Secondly, we implement a static enforcement mechanism for this policy, which allows us to detect potential insecure information flows by analysing programs in component-level. To illustrate the usefulness of this policy, we further examine two typical security threats, confused deputy and collusive data leaks, as the running cases to show how to detect security attacks in our theoretical framework. The final experiment shows that our approach is effective and scalable for real-world apps. Compare with several leading tools, our approach is applicable to checking both intra-app and inter-app vulnerabilities, and achieves a more precise detection result due to the superiority of our fine-grained security policy.