Creating a Core Rule Set for Android Taint Analysis Tools

Context

Android applications often process sensitive data such as location, contacts, and authentication tokens. Ensuring that this information is not leaked or misused is a central challenge in mobile app security.

Taint analysis is a static or dynamic program analysis technique that tracks the flow of sensitive data (“tainted sources”) through a program to determine whether it reaches untrusted components (“sinks”). Several tools exist to perform taint analysis on Android applications, including FlowDroid, Mariana Trench, and Joern. Each has different capabilities, rule definitions, and performance characteristics.

Motivation

Despite the availability of taint analysis tools, applying them effectively to detect privacy issues and security vulnerabilities in Android apps requires carefully designed rule sets and validation on real-world apps. By systematically testing different tools and defining core rules for Android-specific data flows, we can evaluate their effectiveness and build a foundation for future large-scale privacy/security testing. Using benchmark applications with known vulnerabilities (e.g., AndroGoat) provides a reliable way to compare the strengths and weaknesses of each tool.

Goal

What do we want to achieve?

The aim of this student work is to evaluate different taint analysis tools for Android and develop core rule sets for detecting privacy issues and vulnerabilities.

• Understand how FlowDroid, Mariana Trench, and Joern can be applied to Android apps.
• Define and implement taint analysis rules tailored for Android (e.g., location data leaks, insecure storage, sensitive data in logs).
• Benchmark and compare the tools using apps with known vulnerabilities (e.g., OWASP vulnerable test apps, open-source projects).
• Provide insights into strengths, limitations, and practical applicability of each tool for Android app analysis.

What do we want the student to deliver?

• A comparative study of FlowDroid, Mariana Trench, and Joern for Android taint analysis.
• A set of reusable core taint rules for each tool, targeting Android privacy/security issues.
• A test report showing results on benchmark apps with known vulnerabilities.
• Documentation describing the analysis process, rule definitions, and recommendations for future use.

Requirements

What do we want the student to bring to the project?

• Programming skills in Python and Java
• Basic Knowledge about Machine Learning and Software Testing
• Interest for Mobile Software Engineering
• Interest Dynamic Code Analysis

Pointers

What resources and other related work could help the student to work on this project?

Taint Analysis Tools

•  FlowDroid
•  joern
•  Joern: Code Property Graph-based analysis framework
•  mariana-trench)
•  Mariana Trench (Meta’s open-source static analysis tool)
•  ReproDroid - Benchmarks

Vulnerable Android Apps for Benchmarking

•  DodoVulnerableBank
•  MASTG-Hacking-Playground
•  MASTestApp-Android-NETWORK
•  iva-android
•  AndroGoat
•  finstergram
•  InsecureShop
•  Android-InsecureBankv2
•  Digitalbank

Research Papers

•  FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps

Contact

•  Thomas Sutter