DroidBench 1.1 is released with new challenges:
Trend- und Strategiebericht: Entwicklung sicherer Software durch Security by Design
Am heutigen Donnerstag veröffentlichen die vom BMBF geförderten drei Kompetenzzentren für IT-Sicherheit CISPA, Kastel und EC SPRIDE den Trend- und Strategiebericht Entwicklung sicherer Software durch Security by Design. Der Bericht vertritt die These, dass die Entwicklung und Integration sicherer Software nach dem Prinzip Security by Design ausgestaltet werden muss und benennt entsprechende Herausforderungen für eine praxisorientierte Forschungsagenda.
The Android Logging Service – A Dangerous Feature for User Privacy?
The Android logging mechanism is used by many Android applications. Even the Android framework uses this mechanism for outputting debug information. But does this logging mechanism also include private information? This article gives a short overview of the privacy-sensitive information that could be gathered from the Android logging mechanism. It also describes Google’s countermeasure of accessing the “log file” since Android 4.1 and what kind of possibilities an attacker still has.
FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps
In our new technical report Highly Precise Taint Analysis for Android Applications we present our new tool FlowDroid which implements a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications.
Furthermore, we also created an Android benchmark suite, DroidBench, as a testing ground for static and dynamic security tools.
This is joint work with Alexandre Bartel, Jacques Klein and Yves le Traon from the University of Luxembourg and with Damien Octeau and Patrick McDaniel from Penn State University.
These are the Android Sources and Sinks Nobody was Looking at
Code analysis tools for taint tracking – statically, dynamically or hybrid – are only as good as the definition of sources and sinks. The tools check if there is a potential flow between a source and a sink and inform the analyst about their findings. We checked different code analysis tools in the area of Android and found out that all tools do only contain a hand-picked amount of sources and sinks. This gave us the motivation to create a novel tool for the fully automated generation of Android sources and sinks.
We wrote a technical report SuSi: A Tool for the Fully Automated Classification and Categorization of Android Sources and Sinks that describes the details of our approach.
Hello World!
We – the SSE-Group (Secure Software Engineering) at EC-SPRIDE Darmstadt – created a new blog that informs you about our current research.
Our research includes, but is not limited to, the following topics:
- Android Security
- Buffer Overflow Mitigation
- Timing Channel Mitigation
If you are interested in using or extending our tools, or if you have any questions in general, do not hesitate to contact us!
Let the blogging begin!