DAPA: Degradation-Aware Privacy Analysis of Android Apps

When installing or executing an app on a smartphone, we grant it access to part of our (possibly confidential) data stored in the device. Traditional information-flow analyses aim to detect whether such information is leaked by the app to the external (untrusted) environment. The static analyser we present in this paper goes one step further. Its aim is to trace not only if information is possibly leaked (as this is almost always the case), but also how relevant such a leakage might become, as an under- and over-approximation of the actual degree of values degradation. The analysis captures both explicit dependences and implicit dependences, in an integrated approach. The analyser is built within the Abstract Interpretation framework on top of our previous work on data-centric semantics for verification of privacy policy compliance by mobile applications. Results of the experimental analysis on significant samples of the DroidBench library are also discussed.