TaintBench: Automatic real-world malware benchmarking of Android taint analyses

Linghui Luo,Goran Piskachev,Ivan Pashchenko,Eric Bodden,Manuel Benz,Felix Pauck,Fabio Massacci,Martin Mory,Ben Hermann

doi:10.1007/s10664-021-10013-5

Abstract

Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. To push Android taint analysis research forward, this paper thus recommends criteria for constructing real-world benchmark suites for this specific domain, and presents TaintBench, the first real-world malware benchmark suite with documented taint flows. TaintBench benchmark apps include taint flows with complex structures, and addresses static challenges that are commonly agreed on by the community. Together with the TaintBench suite, we introduce the TaintBench framework, whose goal is to simplify real-world benchmarking of Android taint analyses. First, a usability test shows that the framework improves experts’ performance and perceived usability when documenting and inspecting taint flows. Second, experiments using TaintBench reveal new insights for the taint analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions of both tools are less accurate than their predecessors.

Highlights

Mobile devices store and process sensitive data such as contact lists or banking information, which require protection against misuse
Once an Android taint analysis tool finds an expected taint flow while benchmarking, it is counted as a true positive (TP)
Our work aims to serve as a starting point towards a solid real-world benchmark suite for Android taint analysis

Summary

Introduction

Mobile devices store and process sensitive data such as contact lists or banking information, which require protection against misuse. In case of Android, the most-used mobile operating system (statcounter 2019), and its app marketplaces such as Google Play Store, it is crucial to protect users’ security and privacy. In particular, is able to detect security threats, e.g., data leaks (as in spyware which is a subset of malware), before they are exploited. It tracks data flows from sensitive sources (e.g., API which reads the contact list) to sensitive sinks (e.g., API which posts data to the Internet). Multiple intentionally, accidentally or maliciously programmed data-flow paths might result in the same taint flow as the example in Listings 1 shows, a taint flow is usually counted as detected once a connection consisting of a single or multiple data-flow paths between the associated source and sink is found

Objectives

Methods

Results

Conclusion