Communication-Based Attacks Detection in Android Applications

If the critical paths are triggered at runtime they are likely to cause privacy leaks, so we detect this and send a notice to users.

By using the method provided in the previous section, we can capture an API sequence for each component at runtime. For each API call we capture the triggering time, parameter values, return value, data dependence, and so on, thus it has uniqueness and can have a one-to-one correspondence with the vertex in the CDFG. This is shown in Fig. 10 , in which the paths of the red edge are the critical path.

10.26599/TST.2018.9010133.F10 Fig. 10:API sequence and the corresponding CDFG.

If the path formed by these API sequences is a part of the whole CDFG and the critical path is included in the path, this shows that the critical path is triggered and sensitive data is exposed. An example of this is shown in Fig. 10 , in which the captured API sequence $A\stackrel{}{\to }B\stackrel{}{\to }C\stackrel{}{\to }D$ belongs to CDFG. Since $B\stackrel{}{\to }C\stackrel{}{\to }D$ is the critical path, sensitive data may be exposed.

We will change the detection problem to a decision problem of whether a given path is included in a directed graph. We through the following steps to determine this, assuming that a given path is $V_0\stackrel{}{\to }{V}_1\stackrel{}{\to }\mathrm{\cdots }\stackrel{}{\to }{V}_n$ , and $G_d$ is the directed graph.

(1) Search the initial vertex. Search $V_0$ in $G_d$ , and if it exists, move to Step (2);

(2) Determine if the subsequent vertex is in the directed graph. Search all of the subsequent vertices of $V_0$ in $G_d$ . If $V_1$ is found, then move to Step (3), otherwise we can say this given path is not in the directed graph.

(3) Iterate the decision process. Replace $V_0$ with $V_1$ , $V_2$ with $V_1$ , and repeat Step (2) until all the vertices of a given path are analyzed.

We use the adjacency table to store CDFG; the time complexity of the depth-first walk and breadth-first calendar calculation method are both $O(n+e)$ , where $n$ represents the number of vertices, and $e$ represents the number of edges. For searching the given vertices in a directed graph, in general the breadth-first time calendar calculation method has low time complexity compared with the depth-first walk, but space complexity is high. Detection of attacks pays more attention to time efficiency, so we use a breadth-first calendar calculation method to search the initial vertex. We give the critical path trigger detection algorithm as Algorithm 1.

When using this algorithm for testing, when a critical path is triggered the user will be notified, and at the same time the model will record the path information and data dependency information. For example, when we detect FindLocationActivity in the motivating example, we catch the API sequence: $\mathrm{\cdots }\stackrel{}{\to }\mathrm{getLastKnownLocation}(\mathrm{\cdots })\stackrel{}{\to }\mathrm{toString}(\mathrm{\cdots })\stackrel{}{\to }\mathrm{putExtra}(\mathrm{\cdots })\stackrel{}{\to }\mathrm{putExtra}(\mathrm{\cdots })\stackrel{}{\to }\mathrm{startActivity}(\mathrm{\cdots })$ , because it contains the critical path, and bring up a prompt as shown in Fig. 11 .

10.26599/TST.2018.9010133.F11 Fig. 11:Critical path trigger test results of FindLocationActivity.