Learning personally identifiable information transmission in android applications by using data from fast static code analysis

Abstract

The ease of use of mobile devices has resulted in a significant increase in the everyday use of mobile applications as well as the amount of personal information stored on devices. Users are becoming more aware of applications’ access to their personal information, as well as the risk that these applications may unwittingly transmit Personally Identifiable Information (PII) to third-party servers. There is no simple way to determine whether or not an application transmits PII. If this information could be made available to users before installing new applications, they could weigh the pros and cons of having the risk of their PII exposed. To detect PII transmission, heavy-weight methods like static code analysis and dynamic behavior analysis are used. They take anywhere from a few minutes to several hours of testing and analysis per application. On the other hand, in this thesis, we use fast static code analysis to extract features that we then use to build a classification model to detect PII transmission in under a minute with performance comparable to heavy-weight methods. We evaluate our model against a large number of top-ranked Android applications, totaling over 19,000. Our method is both fast and effective, making it ideal for detecting and analyzing PII transmission in mobile applications in real-time.