Research & Tools for Secure Android Development

Android apps face some security issues, such as the possibility of activity hijacking (in which not-so-friendly apps waylay intents meant for other apps and can potentially harvest private data). So, if you're concerned about security, you could always just download a snazzy-looking anti-virus app and hope for the best, or you could make sure the apps you develop are secure.

From Will Klieber and Lori Flynn at Carnegie Mellon comes a look at some interesting research into security analysis for Android development in a project called Mobile SCALe. According to Klieber, a key to understanding these types of Android security issues is being able to track the flow of data. It's important to know what's going where, and the trustworthiness and security of each location:

Sometimes the flow of information can be from a highly sensitive source to a place that’s not authorized to receive the data. So, the source can be high privilege and the sink can be low privilege. Integrity concerns can also be analyzed using the concept of information flow. Sometimes untrusted data is sent to a place that’s supposed to store only high-trusted data that’s been sent by an authorized source. If data travels from a low-trust source to a high-trust sink, that’s also a problem.

To help with this kind of analysis, the researchers developed a tool called DidFail, which stands for Droid Intent Data Flow Analysis for Information Leakage:

[DidFail] combines and augments the existing Android dataflow analyses of FlowDroid (which identifies intra-component taint flows) and Epicc (which identifies properties of intents such as its action string) to track both inter-component and intra-component dataflow in a set of Android applications.

Leaving vulnerabilities exposed in an Android app is fairly easy to do, so this kind of research, along with tools like DidFail, is integral to keeping the platform reliable and secure. Check out Klieber and Flynn's full write-up for more details on the project.