AQUA: Android QUery analyzer

Chon Ju Kim, Phyllis Frankl

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Smart phone and tablet users typically store a variety of sensitive information on their devices, including contact information, photos, SMS messages, and custom data used by various applications. On Android devices, the data is stored in SQLite databases which applications access by constructing and executing queries, either directly or via Android content provider API calls. Before installing an application that uses a content provider, a user must grant permission for the application to read and/or write the associated data. Many users grant permission with little understanding of the risks. Even more savvy users cannot make well-informed decisions, as they are only given very coarse information about what data the application accesses. To provide users with more detailed information about how Android apps access and modify stored data, we have developed AQUA, the Android QUery Analyzer. AQUA analyzes application binary code, performing a lightweight static analysis to determine possible values of string variables that are incorporated into queries. AQUA reports on the content providers used and the database tables/attributes accessed and/or updated, allowing users to make more informed decisions about whether to grant permissions. This paper describes AQUA's design and evaluates AQUA's accuracy and performance by using it to analyze 105 popular apps downloaded from Google Play.

    Original languageEnglish (US)
    Title of host publicationProceedings - 19th Working Conference on Reverse Engineering, WCRE 2012
    Pages395-404
    Number of pages10
    DOIs
    StatePublished - 2012
    Event19th Working Conference on Reverse Engineering, WCRE 2012 - Kingston, ON, Canada
    Duration: Oct 15 2012Oct 18 2012

    Other

    Other19th Working Conference on Reverse Engineering, WCRE 2012
    CountryCanada
    CityKingston, ON
    Period10/15/1210/18/12

    Fingerprint

    Application programs
    Binary codes
    Static analysis
    Application programming interfaces (API)
    Android (operating system)

    Keywords

    • Android
    • Database application
    • Static analysis

    ASJC Scopus subject areas

    • Software

    Cite this

    Kim, C. J., & Frankl, P. (2012). AQUA: Android QUery analyzer. In Proceedings - 19th Working Conference on Reverse Engineering, WCRE 2012 (pp. 395-404). [6385135] https://doi.org/10.1109/WCRE.2012.49

    AQUA : Android QUery analyzer. / Kim, Chon Ju; Frankl, Phyllis.

    Proceedings - 19th Working Conference on Reverse Engineering, WCRE 2012. 2012. p. 395-404 6385135.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Kim, CJ & Frankl, P 2012, AQUA: Android QUery analyzer. in Proceedings - 19th Working Conference on Reverse Engineering, WCRE 2012., 6385135, pp. 395-404, 19th Working Conference on Reverse Engineering, WCRE 2012, Kingston, ON, Canada, 10/15/12. https://doi.org/10.1109/WCRE.2012.49
    Kim CJ, Frankl P. AQUA: Android QUery analyzer. In Proceedings - 19th Working Conference on Reverse Engineering, WCRE 2012. 2012. p. 395-404. 6385135 https://doi.org/10.1109/WCRE.2012.49
    Kim, Chon Ju ; Frankl, Phyllis. / AQUA : Android QUery analyzer. Proceedings - 19th Working Conference on Reverse Engineering, WCRE 2012. 2012. pp. 395-404
    @inproceedings{cc59d16cf8f346789f725443375d8a25,
    title = "AQUA: Android QUery analyzer",
    abstract = "Smart phone and tablet users typically store a variety of sensitive information on their devices, including contact information, photos, SMS messages, and custom data used by various applications. On Android devices, the data is stored in SQLite databases which applications access by constructing and executing queries, either directly or via Android content provider API calls. Before installing an application that uses a content provider, a user must grant permission for the application to read and/or write the associated data. Many users grant permission with little understanding of the risks. Even more savvy users cannot make well-informed decisions, as they are only given very coarse information about what data the application accesses. To provide users with more detailed information about how Android apps access and modify stored data, we have developed AQUA, the Android QUery Analyzer. AQUA analyzes application binary code, performing a lightweight static analysis to determine possible values of string variables that are incorporated into queries. AQUA reports on the content providers used and the database tables/attributes accessed and/or updated, allowing users to make more informed decisions about whether to grant permissions. This paper describes AQUA's design and evaluates AQUA's accuracy and performance by using it to analyze 105 popular apps downloaded from Google Play.",
    keywords = "Android, Database application, Static analysis",
    author = "Kim, {Chon Ju} and Phyllis Frankl",
    year = "2012",
    doi = "10.1109/WCRE.2012.49",
    language = "English (US)",
    isbn = "9780769548913",
    pages = "395--404",
    booktitle = "Proceedings - 19th Working Conference on Reverse Engineering, WCRE 2012",

    }

    TY - GEN

    T1 - AQUA

    T2 - Android QUery analyzer

    AU - Kim, Chon Ju

    AU - Frankl, Phyllis

    PY - 2012

    Y1 - 2012

    N2 - Smart phone and tablet users typically store a variety of sensitive information on their devices, including contact information, photos, SMS messages, and custom data used by various applications. On Android devices, the data is stored in SQLite databases which applications access by constructing and executing queries, either directly or via Android content provider API calls. Before installing an application that uses a content provider, a user must grant permission for the application to read and/or write the associated data. Many users grant permission with little understanding of the risks. Even more savvy users cannot make well-informed decisions, as they are only given very coarse information about what data the application accesses. To provide users with more detailed information about how Android apps access and modify stored data, we have developed AQUA, the Android QUery Analyzer. AQUA analyzes application binary code, performing a lightweight static analysis to determine possible values of string variables that are incorporated into queries. AQUA reports on the content providers used and the database tables/attributes accessed and/or updated, allowing users to make more informed decisions about whether to grant permissions. This paper describes AQUA's design and evaluates AQUA's accuracy and performance by using it to analyze 105 popular apps downloaded from Google Play.

    AB - Smart phone and tablet users typically store a variety of sensitive information on their devices, including contact information, photos, SMS messages, and custom data used by various applications. On Android devices, the data is stored in SQLite databases which applications access by constructing and executing queries, either directly or via Android content provider API calls. Before installing an application that uses a content provider, a user must grant permission for the application to read and/or write the associated data. Many users grant permission with little understanding of the risks. Even more savvy users cannot make well-informed decisions, as they are only given very coarse information about what data the application accesses. To provide users with more detailed information about how Android apps access and modify stored data, we have developed AQUA, the Android QUery Analyzer. AQUA analyzes application binary code, performing a lightweight static analysis to determine possible values of string variables that are incorporated into queries. AQUA reports on the content providers used and the database tables/attributes accessed and/or updated, allowing users to make more informed decisions about whether to grant permissions. This paper describes AQUA's design and evaluates AQUA's accuracy and performance by using it to analyze 105 popular apps downloaded from Google Play.

    KW - Android

    KW - Database application

    KW - Static analysis

    UR - http://www.scopus.com/inward/record.url?scp=84872313863&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84872313863&partnerID=8YFLogxK

    U2 - 10.1109/WCRE.2012.49

    DO - 10.1109/WCRE.2012.49

    M3 - Conference contribution

    AN - SCOPUS:84872313863

    SN - 9780769548913

    SP - 395

    EP - 404

    BT - Proceedings - 19th Working Conference on Reverse Engineering, WCRE 2012

    ER -