DamFlow: Preventing a Flood of Irrelevant Data Flows in Android Apps
State-of-the-art tools like FlowDroid have been proposed to detect data leaks in Android apps, but two main challenges persist: (1) false alarms and (2) undetected data leaks. One contributing factor to these challenges is that a tool such as FlowDroid relies on predefined lists of privacy-sensitive source and sink API methods. Generating such lists is complex; incomplete or inaccurate lists result in both false alarms (i.e., irrelevant data flows) and undetected data leaks. Additionally, data leaks are highly context-dependent. For instance, GPS data flowing from a navigation app is expected, but the same flow in a calculator app is suspicious. Even when FlowDroid identifies a source-to-sink path, it may not be relevant to privacy analysis, further increasing false alarms.
To tackle these issues, we propose a novel approach named DamFlow, which, by combining backward taint analysis with context-aware anomaly detection, prevents a ``flood'' of irrelevant data flows while at the same time finding data leaks missed by existing approaches. Our evaluation demonstrates that DamFlow significantly reduces reported leaks per app while uncovering previously undetected leaks, enhancing FlowDroid’s practicality for real-world data leak detection.
Fri 17 AprDisplayed time zone: Brasilia, Distrito Federal, Brazil change
11:00 - 12:30 | Dependability and Security 8Journal-first Papers / Demonstrations / Research Track at Oceania X Chair(s): Xusheng Xiao Arizona State University | ||
11:00 15mTalk | DamFlow: Preventing a Flood of Irrelevant Data Flows in Android Apps Journal-first Papers Marco Alecci University of Luxembourg, Jordan Samhi University of Luxembourg, Luxembourg, Marc Miltenberger Fraunhofer SIT; ATHENE, Steven Arzt Fraunhofer SIT; ATHENE, Tegawendé F. Bissyandé University of Luxembourg, Jacques Klein University of Luxembourg | ||
11:15 15mTalk | LVing: A Vulnerability Detection and Visualization Platform for Rust Demonstrations Ernesto Diaz Texas A&M University-San Antonio, Mark Solis Texas A&M University-San Antonio, Young Lee Texas A & M University - San Antonio, Jeong Yang Texas A&M University-San Antonio, Deep Gandhi Independent Researcher | ||
11:30 15mTalk | StagedVulBERT: Multi-Granular Vulnerability Detection with a Novel Pre-trained Code Model Journal-first Papers Yuan Jiang Harbin Institute of Technology, Yujian Zhang Harbin Institute of Technology, Xiaohong Su Harbin Institute of Technology, Christoph Treude Singapore Management University, Tiantian Wang Harbin Institute of Technology | ||
11:45 15mTalk | Just-in-Time Detection of Silent Security Patches Journal-first Papers Xunzhu Tang University of Luxembourg, Kisub Kim DGIST, Saad Ezzini King Fahd University of Petroleum and Minerals, Yewei Song University of Luxembourg, Haoye Tian Aalto University, Jacques Klein University of Luxembourg, Tegawendé F. Bissyandé University of Luxembourg | ||
12:00 15mTalk | Rusted Types: Static Detection of Rust Type Confusion Bugs Research Track Zeyang Zhuang The Chinese University of Hong Kong, Wei Meng Chinese University of Hong Kong, Michael Lyu The Chinese University of Hong Kong | ||
12:15 15mTalk | LLM-based Vulnerability Discovery through the Lens of Code Metrics Research Track Felix Weissberg BIFOLD & TU Berlin, Lukas Pirch BIFOLD & TU Berlin, Erik Imgrund BIFOLD & TU Berlin, Jonas Möller BIFOLD & TU Berlin, Thorsten Eisenhofer BIFOLD & TU Berlin, Konrad Rieck BIFOLD & TU Berlin Pre-print | ||