Analyzing Security Property of Android Application Implementation Using Formal Method

As mobile phones are becoming a main approach for people to use to access Internet, security is a major concern when people are using their mobile phones. Different from the Web browser which has mature isolation mechanisms to protect users´ information such as cookies and credentials, Android app developers have to implement the isolation mechanism such as the Single Origin Policy (SOP) themselves. During the implementation process, it is highly likely that there is vulnerability in the implementation. Therefore, it is necessary to perform analysis to the implementation before it is released to market. As part of an ongoing Ph.D. research project, this dissertation inspects two scenarios. The first scenario is an app which provides Single Sign-on (SSO) service using Facebook SDK. The author builds formal models from the captured network traffic of the app and uses a verifier Proverif to check against the defined properties of the formal models. After the analysis, one vulnerability is discovered which violates SOP. As for the second scenario, it is an initial analysis of information flow leak in Android apps.