FloVasion: Towards Detection of non-sensitive Variable Based Evasive Information-Flow in Android Apps

Abstract

ABSTRACT Smartphones are enriched by applications (apps) available through the mobile ecosystem. Various studies have reported that apps leaking sensitive user and device information are the primary target of cyber criminals. Existing program analysis tools can detect such information leakage flows. Reverse engineering tools are deployed to determine app information-flow via control and data-flow analysis. Malware authors employ information-flow based evasion techniques while leaking privacy sensitive data. In this paper, we discuss five novel app attacks that evade information flow analysis and leak sensitive device and user information (e.g. IMEI, SIM details, Location details, and user contacts). These attacks circumvent state-of-the-art analysis tools. We show that sensitive information can be leaked via non-sensitive variables, or by performing runtime inspection of classes and fields. We analyzed the proposed novel attack apps against some of the most promising state-of-the-art static analysis tools such as FlowDroid, DroidSafe, and dynamic analysis tools such as TaintDroid. Furthermore, we evaluated Play-Protect i.e. default on-device anti-malware, AVL Antivirus, and some other top commercial products against proposed novel app attacks. We demonstrate that existing tools are vulnerable to proposed attacks. Finally, this paper proposes AspectJ based runtime monitor as a possible solution that can be incorporated in the state-of-the-art app analysis techniques to detect information flow misuse.