Data-Oriented Instrumentation against Information Leakages of Android Applications

As one of the most prominent threat, information leakages usually take sensitive data from some private sources and improperly release the data through malicious or misused method invocations and intercommunications. As a countermeasure against this threat, a number of detection approaches have been developed based on static analysis, esp. taint analysis. But we still have not reached a satisfactory solution to the patching and mitigation against this threat. In this paper, we propose an approach to automatically instrument malicious Android applications with cryptographic primitives and data randomization. With the help of an off-the-shelf taint analyzer, we detect the parts of code that might leak private information. In order to mitigate these information leakages, the standard cipher transformations and randomization are used to enforce different security policies according to the positions of related information sinks and intermediate system calls along malicious flow paths. The evaluation on different benchmark suites and real-world applications demonstrates that our approach can avoid false positives and mitigate around 91% information leakages in real applications, with acceptable cost on analysis and instrumentations affordable by desktops.