IIFA: Modular Inter-app Intent Information Flow Analysis of Android Applications

Abstract

Android apps cooperate through message passing via intents. However, when apps have disparate sets of privileges inter-app communication (IAC) can accidentally or maliciously be misused, e.g., to leak sensitive information contrary to users’ expectations. Recent research has considered static program analysis to detect dangerous data leaks due to inter-component communication (ICC), but suffers from shortcomings for IAC with respect to precision, soundness, and scalability. As a remedy we propose a novel pre-analysis for static ICC/IAC analysis. Our main contribution is the first fully automatic ICC/IAC information flow analysis that is scalable for realistic apps due to modularity, avoiding combinatorial explosion: Our approach determines communicating apps using short summaries rather than inlining intent calls between components and apps, which entails simultaneously analyzing all apps installed on a device. Using benchmarks we establish that IIFA outperforms state-of-the-art analyses in terms of precision and recall. But foremost, applied to the 90 most popular applications from the Google Playstore, IIFA demonstrated its scalability to a large corpus of real-world apps.