An analysis on sensitive data passive leakage in Android applications

Android smartphones store huge amount of sensitive data, and Android provides the Permission Management and the Sandbox Mechanism to protect data. However, it cannot avoid the passive leakage of sensitive data due to the defects introduced during the design and implementation phase. In this paper, we perform a systematic analysis on the passive sensitive data leakage vulnerability in Android applications, design and implement a testing tool Sensitive Data Passive Leakage Detector (DPLDetector). The tool can perform static taint propagation analysis on Android applications, based on the characteristics of the taint propagation paths, and cryptographic misuses analysis or component hijacking analysis is executed selectively. At last, test reports are generated according to the analysis result. Using SDPLDetector to analyze dozens of typical Android applications, the experimental results showed that more than 50% applications were found potential sensitive data passive leakage problems.