VDetector: Detecting Vulnerability Based on Inter-Component Data Flows in Android Applications

摘要

With the popularity of Android devices and the improvement of intelligence of mobile phones, our life becomes more and more convenient. Meanwhile, the popularity brings new challenges to Android security, especially the application vulnerabilities. These vulnerabilities may lead to sensitive data leaks. To address this issue, researchers have proposed methods to detect the vulnerabilities in Android applications. But most of them only detect one type of vulnerabilities. In this paper, we propose VDetector, a data flow tracking based method for detecting three types of vulnerabilities, Log Leak Vulnerability, Content Provider Vulnerability, and Inter-Components Communication Vulnerability. Based on the reasons of the three types of vulnerabilities, VDetector transforms the detection into the data flow tracking. We first extend the source and sink sets corresponding to the vulnerabilities. Then we explore whether there are paths between the sources and the sinks. If there are paths, it indicates that the vulnerabilities exist. At last, three datasets are used for experiments and the result indicates that VDetector effectively finds such android application vulnerabilities above.