{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,14]],"date-time":"2026-05-14T20:04:57Z","timestamp":1778789097784,"version":"3.51.4"},"reference-count":67,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2018,4,16]],"date-time":"2018-04-16T00:00:00Z","timestamp":1523836800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"U.S. National Science Foundation","doi-asserted-by":"publisher","award":["0644288, 0954138, 1018703, 1717862 and 1718214"],"award-info":[{"award-number":["0644288, 0954138, 1018703, 1717862 and 1718214"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000181","name":"U.S. Air Force Office of Scientific Research","doi-asserted-by":"crossref","award":["FA9550-09-1-0138"],"award-info":[{"award-number":["FA9550-09-1-0138"]}],"id":[{"id":"10.13039\/100000181","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2018,8,31]]},"abstract":"We present a new approach to static analysis for security vetting of Android apps and a general framework called Amandroid. Amandroid determines points-to information for all objects in an Android app component in a flow and context-sensitive (user-configurable) way and performs data flow and data dependence analysis for the component. Amandroid also tracks inter-component communication activities. It can stitch the component-level information into the app-level information to perform intra-app or inter-app analysis. In this article, (a) we show that the aforementioned type of comprehensive app analysis is completely feasible in terms of computing resources with modern hardware, (b) we demonstrate that one can easily leverage the results from this general analysis to build various types of specialized security analyses\u2014in many cases the amount of additional coding needed is around 100 lines of code, and (c) the result of those specialized analyses leveraging Amandroid is at least on par and often exceeds prior works designed for the specific problems, which we demonstrate by comparing Amandroid\u2019s results with those of prior works whenever we can obtain the executable of those tools. Since Amandroid\u2019s analysis directly handles inter-component control and data flows, it can be used to address security problems that result from interactions among multiple components from either the same or different apps. Amandroid\u2019s analysis is sound in that it can provide assurance of the absence of the specified security problems in an app with well-specified and reasonable assumptions on Android runtime system and its library.<\/jats:p>","DOI":"10.1145\/3183575","type":"journal-article","created":{"date-parts":[[2018,4,18]],"date-time":"2018-04-18T17:21:50Z","timestamp":1524072110000},"page":"1-32","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":137,"title":["Amandroid"],"prefix":"10.1145","volume":"21","author":[{"given":"Fengguo","family":"Wei","sequence":"first","affiliation":[{"name":"University of South Florida, Tampa, FL"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sankardas","family":"Roy","sequence":"additional","affiliation":[{"name":"Bowling Green State University, Bowling Green, OH"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xinming","family":"Ou","sequence":"additional","affiliation":[{"name":"University of South Florida, Tampa, FL"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"family":"Robby","sequence":"additional","affiliation":[{"name":"Kansas State University, Manhattan, KS"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2018,4,16]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Google. 2017. Android documentation: Intent and intent filter. Retrieved from http:\/\/developer.android.com\/guide\/components\/intents-filters.html. Google. 2017. Android documentation: Intent and intent filter. Retrieved from http:\/\/developer.android.com\/guide\/components\/intents-filters.html."},{"key":"e_1_2_1_2_1","unstructured":"akka. 2016. Actors. Retrieved from http:\/\/wala.sourceforge.net\/wiki\/index.php\/UserGuide:CallGraph. akka. 2016. Actors. Retrieved from http:\/\/wala.sourceforge.net\/wiki\/index.php\/UserGuide:CallGraph."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2901739.2903508"},{"key":"e_1_2_1_4_1","volume-title":"Modern Compiler Implementation in Java","author":"Appel Andrew W.","unstructured":"Andrew W. Appel . 1998. Modern Compiler Implementation in Java . Cambridge University Press . Andrew W. Appel. 1998. Modern Compiler Implementation in Java. Cambridge University Press."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884816"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594299"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382222"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.5555\/2818754.2818808"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978333"},{"key":"e_1_2_1_10_1","volume-title":"Proceedings of the 23rd USENIX CSS. 1021--1036","author":"Bhoraskar Ravi","year":"2014","unstructured":"Ravi Bhoraskar , Seungyeop Han , Jinseong Jeon , Tanzirul Azim , Shuo Chen , Jaeyeon Jung , Suman Nath , Rui Wang , and David Wetherall . 2014 . Brahmastra: Driving apps to test the security of third-party components . In Proceedings of the 23rd USENIX CSS. 1021--1036 . Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall. 2014. Brahmastra: Driving apps to test the security of third-party components. In Proceedings of the 23rd USENIX CSS. 1021--1036."},{"key":"e_1_2_1_11_1","unstructured":"Hiroshi Lockheimer. 2012. Android and Security. Retrieved from http:\/\/googlemobile.blogspot.com\/2012\/02\/android-and-security.html. Hiroshi Lockheimer. 2012. Android and Security. Retrieved from http:\/\/googlemobile.blogspot.com\/2012\/02\/android-and-security.html."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1999995.2000018"},{"key":"e_1_2_1_13_1","volume-title":"Precise analysis of string expressions. Static Analysis","author":"Christensen Aske","year":"2003","unstructured":"Aske Christensen , Anders M\u00f8ller , and Michael Schwartzbach . 2003. Precise analysis of string expressions. Static Analysis ( 2003 ), 1076--1076. Aske Christensen, Anders M\u00f8ller, and Michael Schwartzbach. 2003. Precise analysis of string expressions. Static Analysis (2003), 1076--1076."},{"key":"e_1_2_1_14_1","unstructured":"Cisco. 2014. Cisco 2014 Annual security report. Retrieved from http:\/\/www.cisco.com\/web\/offer\/gist_ty2_asset\/Cisco_2014_ASR.pdf. Cisco. 2014. Cisco 2014 Annual security report. Retrieved from http:\/\/www.cisco.com\/web\/offer\/gist_ty2_asset\/Cisco_2014_ASR.pdf."},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2012.2204249"},{"key":"e_1_2_1_16_1","unstructured":"DroidBench. 2015. DroidBench 2.0. Retrieved from https:\/\/github.com\/secure-software-engineering\/DroidBench. DroidBench. 2015. DroidBench 2.0. Retrieved from https:\/\/github.com\/secure-software-engineering\/DroidBench."},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1007\/11691372_5"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516693"},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the USENIX OSDI.","author":"Enck William","year":"2010","unstructured":"William Enck , Peter Gilbert , Byung-Gon Chun , Landon P. Cox , Jaeyeon Jung , Patrick McDaniel , and Anmol Sheth . 2010 . TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones . In Proceedings of the USENIX OSDI. William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol Sheth. 2010. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the USENIX OSDI."},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2494522"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382205"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046614.2046618"},{"key":"e_1_2_1_23_1","unstructured":"Stephen Fink and Julian Dolby. 2012. WALA--The TJ watson libraries for analysis. Retrieved from http:\/\/wala.sf.net\/. Stephen Fink and Julian Dolby. 2012. WALA--The TJ watson libraries for analysis. Retrieved from http:\/\/wala.sf.net\/."},{"key":"e_1_2_1_24_1","volume-title":"Damien Octeau, and Patrick McDaniel.","author":"Fritz Christian","year":"2013","unstructured":"Christian Fritz , Steven Arzt , Siegfried Rasthofer , Eric Bodden , Alexandre Bartel , Jacques Klein , Yves Le Traon , Damien Octeau, and Patrick McDaniel. 2013 . Highly Precise Taint Analysis for Android Application. Technical Report. EC SPRIDE. Christian Fritz, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2013. Highly Precise Taint Analysis for Android Application. Technical Report. EC SPRIDE."},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-30921-2_17"},{"key":"e_1_2_1_26_1","volume-title":"Rinard","author":"Gordon Michael I.","year":"2015","unstructured":"Michael I. Gordon , Deokhwan Kim , Jeff H. Perkins , Limei Gilham , Nguyen Nguyen , and Martin C . Rinard . 2015 . Information flow analysis of android applications in droidsafe. In Proceedings of the NDSS. Citeseer . Michael I. Gordon, Deokhwan Kim, Jeff H. Perkins, Limei Gilham, Nguyen Nguyen, and Martin C. Rinard. 2015. Information flow analysis of android applications in droidsafe. In Proceedings of the NDSS. Citeseer."},{"key":"e_1_2_1_27_1","volume-title":"Proceedings of the NDSS.","author":"Grace Michael","year":"2012","unstructured":"Michael Grace , Yajin Zhou , Zhi Wang , and Xuxian Jiang . 2012 . Systematic detection of capability leaks in stock android smartphones . In Proceedings of the NDSS. Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. 2012. Systematic detection of capability leaks in stock android smartphones. In Proceedings of the NDSS."},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/2185448.2185464"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.5555\/2486788.2486818"},{"key":"e_1_2_1_30_1","unstructured":"ICC-Bench. 2017. Retrieved from https:\/\/github.com\/fgwei\/ICC-Bench. ICC-Bench. 2017. Retrieved from https:\/\/github.com\/fgwei\/ICC-Bench."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/2614628.2614633"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.5555\/1765931.1765948"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786879"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.5555\/2818754.2818791"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2931037.2931044"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.38"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382223"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/2889160.2889178"},{"key":"e_1_2_1_39_1","unstructured":"McAfee. 2017. Trojans ghosts and more mean bumps ahead for mobile and connected things. Retrieved from https:\/\/www.mcafee.com\/us\/resources\/reports\/rp-mobile-threat-report-2017.pdf. McAfee. 2017. Trojans ghosts and more mean bumps ahead for mobile and connected things. Retrieved from https:\/\/www.mcafee.com\/us\/resources\/reports\/rp-mobile-threat-report-2017.pdf."},{"key":"e_1_2_1_40_1","volume-title":"Principles of Program Analysis","author":"Nielson Flemming","unstructured":"Flemming Nielson , Hanne R. Nielson , and Chris Hankin . 1999. Principles of Program Analysis . Springer . Flemming Nielson, Hanne R. Nielson, and Chris Hankin. 1999. Principles of Program Analysis. Springer."},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/2837614.2837661"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.5555\/2818754.2818767"},{"key":"e_1_2_1_43_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Octeau Damien","year":"2013","unstructured":"Damien Octeau , Patrick McDaniel , Somesh Jha , Alexandre Bartel , Eric Bodden , Jacques Klein , and Yves Le Traon . 2013 . Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis . In Proceedings of the USENIX Security Symposium. Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1002\/sec.360"},{"key":"e_1_2_1_45_1","volume-title":"Percoco and Sean Schulte","author":"Nicholas","year":"2012","unstructured":"Nicholas J. Percoco and Sean Schulte . 2012 . Adventures in bouncerland. Black Hat USA. Nicholas J. Percoco and Sean Schulte. 2012. Adventures in bouncerland. Black Hat USA."},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23328"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23066"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/199448.199462"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1016\/0304-3975(96)00072-2"},{"key":"e_1_2_1_50_1","volume-title":"Proceedings of the NDSS.","author":"Smalley Stephen","year":"2013","unstructured":"Stephen Smalley and Robert Craig . 2013 . Security enhanced (SE) Android: Bringing flexible MAC to Android . In Proceedings of the NDSS. Stephen Smalley and Robert Craig. 2013. Security enhanced (SE) Android: Bringing flexible MAC to Android. In Proceedings of the NDSS."},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23205"},{"key":"e_1_2_1_52_1","unstructured":"Symantec. 2017. Internet security threat report. Retrieved from https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/reports\/istr-22-2017-en.pdf. Symantec. 2017. Internet security threat report. Retrieved from https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/reports\/istr-22-2017-en.pdf."},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23145"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/SCAM.2012.25"},{"key":"e_1_2_1_55_1","unstructured":"TrendMicro. 2017. In review: 2016\u2019s mobile threat landscape brings diversity scale and scope. Retrieved from https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/2016-mobile-threat-landscape\/. TrendMicro. 2017. In review: 2016\u2019s mobile threat landscape brings diversity scale and scope. Retrieved from https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/2016-mobile-threat-landscape\/."},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.37"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.5555\/647476.727758"},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/2666620.2666630"},{"key":"e_1_2_1_59_1","unstructured":"WALA. 2014. UserGuide:CallGraph. http:\/\/wala.sourceforge.net\/wiki\/index.php\/UserGuide:CallGraph. WALA. 2014. UserGuide:CallGraph. http:\/\/wala.sourceforge.net\/wiki\/index.php\/UserGuide:CallGraph."},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516727"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_12"},{"key":"e_1_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660357"},{"key":"e_1_2_1_63_1","unstructured":"Wikipedia. 2016. Actor model. Retrieved from https:\/\/en.wikipedia.org\/wiki\/Actor_model. (2016). Wikipedia. 2016. Actor model. Retrieved from https:\/\/en.wikipedia.org\/wiki\/Actor_model. (2016)."},{"key":"e_1_2_1_64_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Xu Rubin","year":"2012","unstructured":"Rubin Xu , Hassen Sa\u00efdi , and Ross Anderson . 2012 . Aurasium: Practical policy enforcement for android applications . In Proceedings of the USENIX Security Symposium. Rubin Xu, Hassen Sa\u00efdi, and Ross Anderson. 2012. Aurasium: Practical policy enforcement for android applications. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_2_1_65_1","volume-title":"Proceedings of the USENIX Security Symposium. 569--584","author":"Yan Lok-Kwong","year":"2012","unstructured":"Lok-Kwong Yan and Heng Yin . 2012 . DroidScope: Seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis . In Proceedings of the USENIX Security Symposium. 569--584 . Lok-Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis. In Proceedings of the USENIX Security Symposium. 569--584."},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.16"},{"key":"e_1_2_1_67_1","volume-title":"Proceedings of the NDSS.","author":"Zhou Yajin","year":"2012","unstructured":"Yajin Zhou , Zhi Wang , Wu Zhou , and Xuxian Jiang . 2012 . Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets . In Proceedings of the NDSS. Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. 2012. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the NDSS."}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3183575","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3183575","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3183575","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T01:08:12Z","timestamp":1750208892000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3183575"}},"subtitle":["A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps"],"short-title":[],"issued":{"date-parts":[[2018,4,16]]},"references-count":67,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2018,8,31]]}},"alternative-id":["10.1145\/3183575"],"URL":"https:\/\/doi.org\/10.1145\/3183575","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,4,16]]},"assertion":[{"value":"2017-05-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2018-01-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2018-04-16","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}