Dynamic taint analysis (DTA), as a mainstream information flow tracking technique, has been widely used in mobile security. On the Android platform, the existing DTA approaches are typically implemented by instrumenting the Dalvik virtual machine (DVM) interpreter or the Android emulator with taint enforcement code. The most prominent problem of the interpreter-based approaches is that they cannot work in the new Android RunTime (ART) environment introduced since the 5.0 release. For the emulator-based approaches, the most prominent problem is that they cannot be deployed on real devices. In addition, almost all the existing Android DTA approaches only concern the explicit information flow caused by data dependence, while completely ignore the impact of implicit information flow caused by control dependence. These problems limit their adoption in the latest Android system and make them ineffective in detecting the state-of-the-art malware whose privacy-breaching behaviors are inactivated in the analyzed environment (e.g., the emulator) or conducted via implicit information flow. In this paper, we present TaintMan, an ART-compatible DTA framework that can be deployed on unmodified and non-rooted Android devices. In TaintMan, the taint enforcement code is statically instrumented into both the target application and the system class libraries to track data flow and common control flow. A specially designed execution environment reconstruction technique, named reference hijacking, is proposed to force the target application to reference the instrumented system class libraries. By enforcing on-demand instrumentation and on-demand tracking, the performance overhead is significantly reduced. We have developed TaintMan and deployed it on two popular stock smartphones (HTC One S equipped with Android-4.0 and Motorola MOTO G equipped with Android-5.0). The evaluation with malware samples and real-world applications shows that TaintMan can effectively detect privacy leakage behaviors with an acceptable performance overhead.

中文翻译：

---

TaintMan：一个在未修改和无根 Android 设备上与 ART 兼容的动态污点分析框架

动态污点分析（DTA）作为一种主流的信息流跟踪技术，在移动安全领域得到了广泛的应用。在 Android 平台上，现有的 DTA 方法通常是通过检测 Dalvik 虚拟机 (DVM) 解释器或带有污点强制代码的 Android 模拟器来实现的。基于解释器的方法最突出的问题是它们无法在自 5.0 版本以来引入的新 Android RunTime (ART) 环境中工作。对于基于模拟器的方法，最突出的问题是它们不能部署在真实设备上。此外，几乎所有现有的Android DTA方法都只关注数据依赖导致的显式信息流，而完全忽略了控制依赖导致的隐式信息流的影响。这些问题限制了它们在最新的 Android 系统中的采用，并使它们无法有效检测最先进的恶意软件，这些恶意软件的隐私侵犯行为在分析环境（例如，模拟器）中被禁用或通过隐式信息流进行。在本文中，我们介绍了 TaintMan，这是一个与 ART 兼容的 DTA 框架，可以部署在未经修改和无根的 Android 设备上。在 TaintMan 中，污点强制代码被静态检测到目标应用程序和系统类库中，以跟踪数据流和公共控制流。提出了一种专门设计的执行环境重建技术，称为引用劫持，以强制目标应用程序引用已检测的系统类库。通过实施按需检测和按需跟踪，性能开销显着降低。我们开发了 TaintMan 并将其部署在两款流行的智能手机上（配备 Android-4.0 的 HTC One S 和配备 Android-5.0 的摩托罗拉 MOTO G）。对恶意软件样本和实际应用程序的评估表明，TaintMan 可以以可接受的性能开销有效检测隐私泄漏行为。