Finding Data Leaks in Xamarin Apps by Performing Taint Analysis on CIL Code
Authors
Larsen, Simon Ellegaard ; Christensen, Mikkel Christian Lybeck ; Nielsen, Thomas Pilgaard ; Bjergmark, Søren Aksel Helbo
Term
4. term
Education
Publication year
2018
Abstract
Smartphone-apps håndterer i stigende grad personlige data, og med GDPR er der øget fokus på at forebygge datalæk. Denne afhandling præsenterer en statisk taint-analyse for Xamarin-baserede Android-apps ved at analysere Common Intermediate Language (CIL). Vi introducerer det mellemsprog Simple CIL (SCIL) med formel definition og flowlogik baseret på kontrolflowanalyse, samt to værktøjer: Simple CIL Analyzer (SCIL/A), der parser APK-filer, opbygger kontrol- og kaldgrafer, konverterer til Static Single Assignment (SSA) og håndterer forgreninger og asynkrone opgaver, og Flix Analyzer (Flix/A), der udfører taint-propagation på Flix-fakta og inkluderer simpel strenganalyse. Samlet kan værktøjerne spore potentielt usikker dataflow i Xamarin-apps. Evalueringen omfatter automatiserede enhedstests og en storskalascanning af 2.866 Xamarin-apps, hvor 20% blev markeret med potentielle problemer, samt en nærmere undersøgelse af udvalgte fund. Afhandlingen diskuterer også begrænsninger og skitserer fremtidigt arbejde.
Smartphone apps increasingly process personal data, and with GDPR there is greater emphasis on preventing data leaks. This thesis presents a static taint analysis for Xamarin-based Android apps by analyzing Common Intermediate Language (CIL). We introduce the intermediate language Simple CIL (SCIL) with a formal definition and flow logic grounded in control-flow analysis, and two tools: Simple CIL Analyzer (SCIL/A), which parses APKs, builds control and call graphs, converts to Static Single Assignment (SSA), and handles branching and asynchronous tasks, and Flix Analyzer (Flix/A), which performs taint propagation over Flix facts and includes a simple string analysis. Together, the tools can detect potentially insecure data flows in Xamarin apps. The evaluation includes automated unit tests and a large-scale scan of 2,866 Xamarin apps, where 20% were flagged with potential issues, supplemented by closer inspection of selected findings. The thesis also discusses limitations and outlines future work.
[This summary has been generated with the help of AI directly from the project (PDF)]
Documents