Android static taint analysis based on multi branch search association

Abstract

Taint analysis is a method used to detect system security problems by tracking the flow of user input or information leakage through the system. In the taint analysis for Android applications, the complete taint propagation path is generally obtained by tracking the taint data. There is often a compromise between efficiency and analysis accuracy in the method of obtaining the taint propagation path, or false positives and false negatives due to the neglect of Android features. Given the problems, a novel multi-branch taint search association algorithm is proposed, which optimized the processing of Android component features in taint analysis. It directly finds taint related codes and associates them according to predefined rules. It has effective Android taint analysis ability including alias analysis and reduced the negative impact of taint unrelated codes on the performance of taint analysis. At the same time, the Android static taint analysis prototype tool TaintSA is implemented based on the multi-branch taint search association algorithm. The experimental results show that TaintSA can not only ensure the analysis results' accuracy but also reduce the time and space required for taint analysis. The accuracy rate of 91.5% and the recall rate of 75.6% on the DroidBench2.0 test set are better than the taint analysis tool FlowDroid. The time consumption and memory consumption of about 30% and 20% are reduced at the same time. In terms of the representation of taint propagation edges, compared with FlowDroid, the taint propagation path output by TaintSA does not contain intermediate variables, and the form is more concise. In addition, TaintSA can output the taint propagation path without taint leakage, which is helpful for further taint analysis.