Mobile apps process increasing amounts of private data, giving rise to privacy concerns. Such concerns do not arise only from single apps, which might—accidentally or intentionally—leak private information to untrusted parties, but also from multiple apps communicating with each other. Certain combinations of apps can create critical data flows not detectable by analyzing single apps individually. While sophisticated tools exist to analyze data flows inside and across apps, none of these scale to large numbers of apps, given the combinatorial explosion of possible (inter-app) data flows. We present a scalable approach to analyze data flows across Android apps. At the heart of our approach is a graph-based data structure that represents inter-app flows efficiently. Following ideas from product-line analysis, the data structure exploits redundancies among flows and thereby tames the combinatorial explosion. Instead of focusing on specific installations of app sets on mobile devices, we lift traditional data-flow analysis approaches to analyze and represent data flows of all possible combinations of apps. We developed the tool Sifta and applied it to several existing app benchmarks and real-world app sets, demonstrating its scalability and accuracy.

中文翻译：

---

将应用间数据流分析提升到大型应用集

移动应用程序处理越来越多的私人数据，从而引发隐私问题。此类担忧不仅来自单个应用程序，它们可能（无意或有意）将私人信息泄露给不受信任的各方，而且还来自多个应用程序相互通信。某些应用程序组合可能会创建通过单独分析单个应用程序无法检测到的关键数据流。尽管存在用于分析应用程序内部和应用程序之间数据流的复杂工具，但鉴于可能的（应用程序间）数据流的组合爆炸，这些工具都没有扩展到大量应用程序。我们提出了一种可扩展的方法来分析跨 Android 应用的数据流。我们方法的核心是一种基于图形的数据结构，它可以有效地表示应用程序间的流。遵循产品线分析的想法，数据结构利用流之间的冗余，从而抑制组合爆炸。我们不再关注移动设备上特定应用程序集的安装，而是采用传统的数据流分析方法来分析和表示所有可能的应用程序组合的数据流。我们开发了工具 Sifta 并将其应用于多个现有的应用程序基准测试和实际应用程序集，展示了其可扩展性和准确性。