{"id":11,"date":"2013-05-10T16:03:27","date_gmt":"2013-05-10T14:03:27","guid":{"rendered":"http:\/\/sseblog.ec-spride.de\/?p=11"},"modified":"2013-05-10T16:03:27","modified_gmt":"2013-05-10T14:03:27","slug":"announcing-susi","status":"publish","type":"post","link":"https:\/\/blogs.uni-paderborn.de\/sse\/2013\/05\/10\/announcing-susi\/","title":{"rendered":"These are the Android Sources and Sinks Nobody was Looking at"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_11 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_11')){$('.twoclick_social_bookmarks_post_11').socialSharePrivacy({\"txt_help\":\"Wenn Sie diese Felder durch einen Klick aktivieren, werden Informationen an Facebook, Twitter, Flattr, Xing, t3n, LinkedIn, Pinterest oder Google eventuell ins Ausland \\u00fcbertragen und unter Umst\\u00e4nden auch dort gespeichert. N\\u00e4heres erfahren Sie durch einen Klick auf das <em>i<\\\/em>.\",\"settings_perma\":\"Dauerhaft aktivieren und Daten\\u00fcber-tragung zustimmen:\",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/blogs.uni-paderborn.de\\\/sse\\\/2013\\\/05\\\/10\\\/announcing-susi\\\/\",\"post_id\":11,\"post_title_referrer_track\":\"These+are+the+Android+Sources+and+Sinks+Nobody+was+Looking+at\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p><a href=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2013\/05\/android-ss-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-15 alignright\" alt=\"android-ss-1\" src=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2013\/05\/android-ss-1-300x300.png\" width=\"173\" height=\"173\" srcset=\"https:\/\/blogs.uni-paderborn.de\/sse\/files\/2013\/05\/android-ss-1-300x300.png 300w, https:\/\/blogs.uni-paderborn.de\/sse\/files\/2013\/05\/android-ss-1-150x150.png 150w, https:\/\/blogs.uni-paderborn.de\/sse\/files\/2013\/05\/android-ss-1-768x768.png 768w, https:\/\/blogs.uni-paderborn.de\/sse\/files\/2013\/05\/android-ss-1.png 1000w\" sizes=\"auto, (max-width: 173px) 100vw, 173px\" \/><\/a>Code analysis tools for taint tracking &#8211; statically, dynamically or hybrid &#8211; are only as good as the definition of sources and sinks. The tools check if there is a potential flow between a source and a sink and inform the analyst about their findings. We checked different code analysis tools in the area of Android and found out that all tools do only contain a hand-picked amount of sources and sinks. This gave us the motivation to create a novel tool for the fully automated generation of Android sources and sinks.<\/p>\n<p>We wrote a technical report <a href=\"http:\/\/www.informatik.tu-darmstadt.de\/fileadmin\/user_upload\/Group_CASED\/Publikationen\/TUD-CS-2013-0114.pdf\">SuSi: A Tool for the Fully Automated Classification and Categorization of Android Sources and Sinks<\/a>\u00a0that describes the details of our approach.<\/p>\n<p><!--more-->Abstract:<\/p>\n<div>\n<p><em>Today\u2019s smartphone users face a security dilemma: many apps they install operate on privacy-sensitive data, although they might originate from developers whose trustworthiness is hard to judge. Researchers have proposed more and more sophisticated static and dynamic analysis tools as an aid to assess the behavior of such applications. Those tools, however, are only as good as the privacy policies they are configured with. Policies typically refer to a list of sources of sensitive data as well as sinks which might leak data to untrusted observers. Sources and sinks are a moving target: new versions of the mobile operating system regularly introduce new methods, and security tools need to be re- configured to take them into account.<\/em><\/p>\n<p><em>In this work we show that, at least for the case of Android, the API comprises hundreds of sources and sinks. We propose SuSi, a novel and fully automated machine-learning approach for identifying sources and sinks directly from the Android source code. On our training set, SuSi achieves a recall and precision of more than 92%. To provide more fine-grained information, SuSi further categorizes the sources (e.g., unique identifier, location information, etc.) and sinks (e.g., network, file, etc.), with an average precision and recall of about 89%. We also show that many current program analysis tools can be circumvented because they use hand-picked lists of source and sinks which are largely incomplete, hence allowing many potential data leaks to go unnoticed.\u00a0<\/em><\/p>\n<p><strong>Where can I find more information?<\/strong><\/p>\n<p>More information can be found\u00a0<a href=\"http:\/\/sse-blog.ec-spride.de\/android\/susi\/\">here<\/a>.<\/p>\n<\/div>\n<p><strong>Is the tool available online?<\/strong><\/p>\n<p>Yes! The tool is open source tool and can be downloaded from\u00a0<a href=\"https:\/\/github.com\/secure-software-engineering\/SuSi\">GitHub<\/a> and <a href=\"http:\/\/sse-blog.ec-spride.de\/android\/susi\/\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Code analysis tools for taint tracking &#8211; statically, dynamically or hybrid &#8211; are only as good as the definition of sources and sinks. The tools check if there is a potential flow between a source and a sink and inform &hellip; <a href=\"https:\/\/blogs.uni-paderborn.de\/sse\/2013\/05\/10\/announcing-susi\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":6581,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,41],"tags":[81,121,141,151],"class_list":["post-11","post","type-post","status-publish","format-standard","hentry","category-android","category-research-paper","tag-android","tag-dynamic-analysis","tag-sources-and-sinks","tag-static-analysis"],"_links":{"self":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts\/11","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/users\/6581"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/comments?post=11"}],"version-history":[{"count":0,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts\/11\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/media?parent=11"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/categories?post=11"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/tags?post=11"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}