Introduction
ScanDal is a static analyzer for detecting privacy leaks in Android applications.
- Problem: Smartphone apps can steal your private data and send it out behind your back. There are a lot of malicious applications out there and the Android's permission-based system is not enough to ensure the security of private data. Android requires application developers to declare the permissions their application will need to access your private information. However, it is uncertain if an application only accesses it, or sends it out behind your back. Also, developers tend to abuse the system by extensively requesting permissions so they don't miss anything. As a result, a lot of users either don't read (or don't care about) the permissions, and just click anything necessary to continue.
 |
 |
 |
 |
 |  |
 |  |
- Our Solution: ScanDal is a sound, formal and automatic static analyzer.
- ScanDal does not execute the Android app.
- ScanDal takes .apk file as an input.
- ScanDal detects privacy leaks in the Android app.
We designed ScanDal in the abstract interpretation framework.
Features
- Sources and sinks of privacy leaks: ScanDal detects privacy leaks from information sources through information sinks. Every detected data flow from source to sink is considered as a potential privacy leak. ScanDal tracks location, IMEI, IMSI, ICC-ID, phone number, camera, and microphone as private information sources. Internet access and SMS text messages are considered as information sinks.
- Dalvik bytecode as a target language: ScanDal deals with the Dalvik VM bytecode directly, rather than translating Dalvik Executable format to a Java or Java bytecode. (The Dal part of the name ScanDal comes from there.) We do this because known reverse engineering techniques, such as dex2jar, fail in some cases. Also, it is possible to deliberately obfuscate an application at the bytecode level.
Demo
This video shows ScanDal detecting privacy leaks from Google Wallpapers application. The result shows that the application sends out the device ID via internet.
Experiments
- Android Market Applications:
We analyzed 90 popular applications from Android Market (as in July 2011) using ScanDal
to detect privacy leaks. ScanDal detected potential privacy leaks in 11 applications.
Application dex size time mem Detected privacy leak Kids Preschool Puzzle 87 1 56 Location → Flurry Job Search 167 1 108 Location → Server Kids Shapes 225 1 155 Location → Flurry Kids ABC Phonics 134 3 119 Location → Flurry Backgrounds HD Wallpapers 109 4 141 IMEI → Server Bible Quotes 138 8 263 Location → AdSense Server ES Task Manager 158 19 423 Location → AdSense Server Multi Touch Paint 198 47 727 Location → AdMob Server Adao File Manager 255 62 1149 Location → AdMob Server (D-Day) The Day Before 293 224 2657 Location → AdMob Server Kids Number and Math 101 538 1249 Location → Flurry
- Black Market Applications: We also analyzed 6 known malicious applications from third-party markets ("black" markets) using ScanDal to detect privacy leaks. Even though these applications are originally free and can be downloaded via Android Market, infected applications, which seems to be the same as original ones, can easily be found in third-party markets. All of the 6 applications sent out the phone number, IMEI, IMSI and ICC-ID along with the location information to the malicious server.
| Application | dex size | time | mem | Detected privacy leak |
|---|---|---|---|---|
| Shot Gun Free | 95 | 36 | 164 | Phone number & IMEI & IMSI & ICC-ID & Location → Malicious Server |
| Baseball Superstars 2010 | 165 | 61 | 285 | |
| Monkey Jump 2 | 169 | 74 | 442 | |
| Gold Miner | 191 | 81 | 481 | |
| Mini Army | 480 | 174 | 1292 | |
| Xing Metro | 253 | 23049 | 1784 |
dex size is the size of the dex file (KB). time is the CPU time spent (sec). mem is the peak memory consumption (MB). Flurry, Adsense and Admob servers are identified. Unidentified servers are the content servers of the applications.
Paper
ScanDal: Static Analyzer for Detecting Privacy Leaks in Android Applications, Mobile Security TechnologiesJinyung Kim, Yongho Yoon, Kwangkeun Yi (Seoul National University), Junbum Shin (Samsung Electronics)
MoST 2012: Mobile Security Technologies, May 2012
Talks
- Talk slides at Samsung Electronics, Dec 2011 (In Korean)
- Talk slides at The 7th ROSAEC workshop, Jan 2012 (In Korean)
Contacts
For general questions regarding ScanDal, please send email to scandal _at_ ropas.snu.ac.kr.
This work was supported by Samsung Electronics DMC R&D Center, the Engineering Research Center of Excellence Program of Korea Ministry of Education, Science and Technology (MEST) / National Research Foundation of Korea (NRF), and the Brain Korea 21 Project, School of Electrical Engineering and Computer Science, Seoul National University.