Flowverine: Leveraging Dataflow Programming for Building Privacy-Sensitive Android Applications

Software security is a fundamental dimension in the development of mobile applications (apps). Since many apps have access to sensitive data (e.g., collected from a smartphone's sensors), the presence of security vulnerabilities may put that data in danger and lead to privacy violations. Unfortunately, existing security solutions for Android are either too cumbersome to use by common app developers, or may require the modification of Android OS. This paper presents Flowverine, a system for building privacy-sensitive mobile apps for unmodified Android platforms. Flowverine exposes an API based on a dataflow programming model which allows for efficient taint tracking of sensitive data flows within each app. By checking such flows against a security policy, Flowverine can then prevent potential privacy violations. We implemented a prototype of our system. Our evaluation shows that Flowverine can be used to implement mobile applications that handle security-sensitive information flows while preserving compatibility with existing Android OS and incurring small performance overheads.