$\mu$Dep: Mutation-based Dependency Generation for Precise Taint Analysis on Android Native Code

TL;DR

$Dep is a novel framework combining static binary analysis and mutation-based dynamic analysis to accurately detect sensitive information flows in Android apps with native code, enhancing existing analysis tools.

Contribution

It introduces a mutation-based dynamic analysis integrated with static analysis to model native code taint behaviors and generate summaries for improved information-flow analysis.

Findings

Competitive accuracy in detecting sensitive flows.

Effective analysis of real-world apps and malware.

Improved native code taint modeling.

Abstract

The existence of native code in Android apps plays an important role in triggering inconspicuous propagation of secrets and circumventing malware detection. However, the state-of-the-art information-flow analysis tools for Android apps all have limited capabilities of analyzing native code. Due to the complexity of binary-level static analysis, most static analyzers choose to build conservative models for a selected portion of native code. Though the recent inter-language analysis improves the capability of tracking information flow in native code, it is still far from attaining similar effectiveness of the state-of-the-art information-flow analyzers that focus on non-native Java methods. To overcome the above constraints, we propose a new analysis framework, $\mu$Dep, to detect sensitive information flows of the Android apps containing native code. In this framework, we combine a control-flow based static binary analysis with a mutation-based dynamic analysis to model the tainting behaviors of native code in the apps. Based on the result of the analyses, $\mu$Dep conducts a stub generation for the related native functions to facilitate the state-of-the-art analyzer DroidSafe with fine-grained tainting behavior summaries of native code. The experimental results show that our framework is competitive on the accuracy, and effective in analyzing the information flows in real-world apps and malware compared with the state-of-the-art inter-language static analysis.