A Research On Model-based Privacy Leak Detection For Android Dynamic Class Loading

With the rapid development of the mobile Internet,Android system has become one of the most popular mobile system platforms,but also become the main target of malicious applications and one of the common malicious behavior is privacy leakage.To protect users'privacy,researchers have developed various techniques to detect pri-vacy leakage in mobile apps,including static taint analysis and dynamic taint analysis.While these methods can't detect all privacy leaks in Android applications,the privacy leakage hidden by dynamic class loading is a challenging task hard to be solved.The dynamic class loading mechanism can make Android applications load extra code at runtime to expand the functions of the application.Therefore,it is widely used in Android development.However,privacy leakage can also be hidden in dynamically loaded external code,which is difficult to detect by detection tools.To effectively solve this problem,there are still two challenges:1)how to determine the location and trigger conditions of dynamic class loading;2)how to effectively trigger the dynamic class loading behavior and detect the privacy leakage hidden by dynamic class loading.Therefore,this paper proposes a model-based detection method for privacy leaks hidden by Android dynamic class loading to effectively solve these series of challenges,the main work is as follows:1.Propose the construction of model library based on static analysis.Aiming at the problem of how to determine the location and triggering conditions of dynamic class loading,this paper implements the static analysis of Android applications to obtain program information and dynamic class loading information of applications;then,inspired by the idea of software asset reuse,we abstract the analysis results into a model for saving,and build an Android application model library.The model library can not only find out the position of the dynamic class loading,but also can be reused for other work that requires static analysis results.2.Implement a privacy leak detection method for dynamic class loading.For trig-gering dynamic class loadings effectively and detecting privacy leaks,this paper uses the static model in the model library to generate dynamic input events,which can trigger the dynamic class loading behavior more effectively.At the same time,through the instument technology of inserting codes into the application,it can get the relevant information of dynamic class loading.Finally,we implement a path oriented taint analysis method based on the obtained information to detect the privacy leakage caused by dynamic class loading.3.This paper develops a privacy leakage detection tool DL2 which includes static anal-ysis technique,model library construction technique,dynamic execution technique,and path-oriented taint analysis.Then we construct a benchmark containing 2578 privacy leaks hidden by dynamic class loading and experimentally evaluate DL2 on the apps from the benchmark and finally compare the performance of DL2 with some other related works.The results show that our method can detect the privacy leakage caused by dynamic class loading more effectively.