Divide and Conquer: Recovering Contextual Information of Behaviors in Android Apps around Limited-quantity Audit Logs
Android users are now suffering serious threats from various unwanted apps. The analysis of apps' audit logs is one of the critical methods for some device manufactures to unveil the underlying malice of apps. We propose and implement DroidHolmes, a novel system that recovers contextual information around limited-quantity audit logs. It also can help improving the performance of existing analysis tools, such as FlowDroid and IccTA. The key module of DroidHolmes is finding a path matched with the logs on the app's control-flow graph. The challenge, however, is that the limited-quantity logs may incur high computational complexity in log matching, where there are a large amount of candidates caused by the coupling relation of successive logs. To address the challenge, we propose a divide and conquer algorithm for effectively positioning each log record individually. In our evaluation, DroidHolmes helps existing tools to achieve 94.87 on 132 apps from open-source test suites. Based on the result of DroidHolmes, the contextual information in the behaviors of 500 real-world apps is also recovered. Meanwhile, DroidHolmes incurs negligible performance overhead on the smartphone.
READ FULL TEXT