FlowDroid – Taint Analysis

FlowDroidFlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications. Unlike many other static-analysis approaches for Android we aim for an analysis with very high recall and precision. To achieve this goal we had to accomplish two main challenges: To increase precision we needed to build an analysis that is context-, flow-, field- and object-sensitive; to increase recall we had to create a complete model of Android’s app lifecycle.

Our analysis is based on Soot and Heros. FlowDroid uses a very precise callgraph which helps us to ensure flow- and context-sensitivity. Its IFDS-based flow functions guarantee field- and object-sensitivity. Because an accurate and efficient alias search is crucial for context-sensitivity in conjuction with field-sensitivity, we want to highlight this part of our analysis, which is inspired by Andromeda. The following code example shows how our approach tracks aliases:
We want to analyze if there is a connection from source to the sink. We start with the first line of the main method and analyze each statement successively. Note that in (3) a taint is assigned to a field (x.f) which starts a backward analysis. Now the statements are examined in the reverse order and we learn that z.g.f, a.g.f and b.f are aliases of x.f. The sink method takes b.f as input parameter, so there is a source-to-sink connection.

Furthermore, FlowDroid needs a complete modeling of Android’s lifecycles and callbacks. Because sources and sinks for Android are provided by SuSi, we only have to look for entry points. Along with necessary meta information they are extracted from Android’s manifest file, dex files and layout xml files. The latter allow us to consider user interaction callbacks defined in XML (for example button clicks) and discover additional sources in terms of password fields. Because user interaction cannot be predicted statically, FlowDroid generates a special main method which considers all possible combinations to make sure no taint is lost.

FlowDroid achieves 93% recall and 86% precision on DroidBench, our own Android benchmark suite. Despite its high precision FlowDroid is still capable of analyzing real-world applications and also performs well on SecuriBench Micro, a testsuite originally designed for web applications.

Are there any publications on FlowDroid?

FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps (Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves le Traon, Damien Octeau and Patrick McDaniel). To appear at PLDI’14.

Highly Precise Taint Analysis for Android Applications (Christian Fritz, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves le Traon, Damien Octeau and Patrick McDaniel), EC SPRIDE Technical Report TUD-CS-2013-0113, May 2013.

FlowDroid: A Precise and Scalable Data Flow Analysis for Android (Christian Fritz), Master thesis, TU Darmstadt, July 2013.

Where can I find the source-code of FlowDroid?The source code consists of two projects on Github, along with its dependencies:


See the Wiki page on Github for information on how to build and run FlowDroid. There, you can also find links to nightly builds of all required JAR files which is the most convenient way to try out FlowDroid. If you have any questions, please contact Steven Arzt or Siegfried Rasthofer.


Which source/sinks lists can I use to configure FlowDroid?

The most comprehensive lists are the ones computed by our SuSi tool. They are available for download here.



27 thoughts on “FlowDroid – Taint Analysis

  1. Pingback: 作業ログ04 Paperまとめ | Android開発日誌

  2. Pingback: Prof. Eric Bodden, Ph.D. » FlowDroid in the news

  3. Pingback: Prof. Eric Bodden, Ph.D. » A recap on our research progress in 2013

  4. Pingback: Prof. Eric Bodden, Ph.D. » FlowDroid receives Artifact Evaluation Award

  5. Pingback: Prof. Eric Bodden, Ph.D. » IccTA vs. DidFail: Inter-Component, Inter-Application Data Flow Analysis in Android Applications

  6. Pingback: ste williams – Boffins tag Android app privacy fails

  7. Pingback: Android, Heartbleed, Testing, and DevOps: An SEI Blog Mid-Year Review | Blog

  8. Pingback: What is noninterference, and how do we enforce it? - The PL Enthusiast

  9. Pingback: Best Android Security Resources | Securitas | {Room 237}

  10. Pingback: Mobile App 駭客與資訊安全測試工具與資源 | 軟體品管的專業思維

  11. Pingback: To-do & Ideas | Tianhan's Blog

  12. Pingback: ToolBox | Tianhan's Blog

  13. Pingback: Homepage

  14. Pingback: Codeinspect: The all-in-one Platform for Android App Analysis – forensic blog

  15. Pingback: [Dica#04] Android Malware Analysis Tools – MalwareVerse

  16. Pingback: Android Malware Analysis Tools,android malware analysis sandbox

  17. Pingback: Android malware analysis tool – All things in moderation

  18. Pingback: Recopilación de herramientas de penetration testing para Android - Div Security

  19. Pingback: Most Important Android Security Penetration Testing Tools for Hackers & Security Professionals -

  20. Pingback: Improving dynamic analysis coverage in Android with DroidBot – The Honeynet Project

  21. Pingback: Android Security Penetration Testing Tools for Security Professionals

  22. Pingback: Most Important Android Penetration Testing Tools for Pentesters & Security Professionals – pcsecurity-99.com

  23. Pingback: Awesome Android Application Security – Enciphers

  24. Pingback: Soot v4.0 releases: A framework for analyzing and transforming Java and Android applications • Penetration Testing

  25. Pingback: Awesome Android Application Security

  26. Pingback: Most Important Android Penetration Testing Tools for Pentesters & Security Professionals - Hackonology

  27. Pingback: Les outils de pentest Android les plus importants pour les pentesters et les professionnels de la sécurité - l'oasis

Comments are closed.