Jul 08

Secure Coding: DidFail | The CERT Division

DidFail (Droid Intent Data Flow Analysis for Information Leakage) uses static analysis to detect potential leaks of sensitive information within a set of Android apps. DidFail combines and augments FlowDroid (which identifies intra-component information flows) and Epicc (which identifies properties of intents such as its action string) to precisely track both inter-component and intra-component data flow in a set of Android applications.

The analysis takes place in two phases:

Given a set of applications, we first determine the data flows enabled individually by each application, and the conditions under which these are possible.

We then build on these results to enumerate the potentially dangerous data flows enabled by the set of applications as a whole.

The source code of DidFail and a binary distribution of DidFail and its dependencies are available for download. Our paper, Android Taint Flow Analysis for App Sets, in the SOAP 2014 workshop describes our analysis method, implementation, and experimental results. The analysis method is described in extended detail in Amar Bhosale’s Master’s thesis, Precise Static Analysis of Taint Flow for Android Application Sets.

via Secure Coding: DidFail | The CERT Division.