HornDroid: Practical and Sound Static Analysis of Android Applications by SMT Solving

TL;DR

HornDroid is a sound static analysis tool for Android apps that uses Horn clauses and SMT solving to accurately detect information flow issues, outperforming existing tools and providing formal soundness guarantees.

Contribution

It introduces a novel Horn clause-based approach for Android analysis with formal soundness proof, enhancing precision and reliability over prior methods.

Findings

Outperforms state-of-the-art Android static analysis tools on community benchmarks.

Provides the first formal soundness proof for an Android static analysis tool.

Identifies critical corner-cases affecting soundness in previous tools.

Abstract

We present HornDroid, a new tool for the static analysis of information flow properties in Android applications. The core idea underlying HornDroid is to use Horn clauses for soundly abstracting the semantics of Android applications and to express security properties as a set of proof obligations that are automatically discharged by an off-the-shelf SMT solver. This approach makes it possible to fine-tune the analysis in order to achieve a high degree of precision while still using off-the-shelf verification tools, thereby leveraging the recent advances in this field. As a matter of fact, HornDroid outperforms state-of-the-art Android static analysis tools on benchmarks proposed by the community. Moreover, HornDroid is the first static analysis tool for Android to come with a formal proof of soundness, which covers the core of the analysis technique: besides yielding correctness assurances, this proof allowed us to identify some critical corner-cases that affect the soundness guarantees provided by some of the previous static analysis tools for Android.