TY - GEN
T1 - AQUA
T2 - 19th Working Conference on Reverse Engineering, WCRE 2012
AU - Kim, Chon Ju
AU - Frankl, Phyllis
N1 - Copyright:
Copyright 2013 Elsevier B.V., All rights reserved.
PY - 2012
Y1 - 2012
N2 - Smart phone and tablet users typically store a variety of sensitive information on their devices, including contact information, photos, SMS messages, and custom data used by various applications. On Android devices, the data is stored in SQLite databases which applications access by constructing and executing queries, either directly or via Android content provider API calls. Before installing an application that uses a content provider, a user must grant permission for the application to read and/or write the associated data. Many users grant permission with little understanding of the risks. Even more savvy users cannot make well-informed decisions, as they are only given very coarse information about what data the application accesses. To provide users with more detailed information about how Android apps access and modify stored data, we have developed AQUA, the Android QUery Analyzer. AQUA analyzes application binary code, performing a lightweight static analysis to determine possible values of string variables that are incorporated into queries. AQUA reports on the content providers used and the database tables/attributes accessed and/or updated, allowing users to make more informed decisions about whether to grant permissions. This paper describes AQUA's design and evaluates AQUA's accuracy and performance by using it to analyze 105 popular apps downloaded from Google Play.
AB - Smart phone and tablet users typically store a variety of sensitive information on their devices, including contact information, photos, SMS messages, and custom data used by various applications. On Android devices, the data is stored in SQLite databases which applications access by constructing and executing queries, either directly or via Android content provider API calls. Before installing an application that uses a content provider, a user must grant permission for the application to read and/or write the associated data. Many users grant permission with little understanding of the risks. Even more savvy users cannot make well-informed decisions, as they are only given very coarse information about what data the application accesses. To provide users with more detailed information about how Android apps access and modify stored data, we have developed AQUA, the Android QUery Analyzer. AQUA analyzes application binary code, performing a lightweight static analysis to determine possible values of string variables that are incorporated into queries. AQUA reports on the content providers used and the database tables/attributes accessed and/or updated, allowing users to make more informed decisions about whether to grant permissions. This paper describes AQUA's design and evaluates AQUA's accuracy and performance by using it to analyze 105 popular apps downloaded from Google Play.
KW - Android
KW - Database application
KW - Static analysis
UR - http://www.scopus.com/inward/record.url?scp=84872313863&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84872313863&partnerID=8YFLogxK
U2 - 10.1109/WCRE.2012.49
DO - 10.1109/WCRE.2012.49
M3 - Conference contribution
AN - SCOPUS:84872313863
SN - 9780769548913
T3 - Proceedings - Working Conference on Reverse Engineering, WCRE
SP - 395
EP - 404
BT - Proceedings - 19th Working Conference on Reverse Engineering, WCRE 2012
Y2 - 15 October 2012 through 18 October 2012
ER -