近年 Android智慧型手機普及，在目前使用者可能在手機中存放多種重要資料的情況下，萬一遭受惡意程式攻擊，則可能造成相當大的衝擊。有鑒於此，許多研究者與組織，運用動態與靜態分析方法，發展出惡意程式的偵測工具，去識別可能的惡意程式。然而目前分析方法中，都是針對既有系統API可取得的個人資料進行分析，並沒有能針對應用程式要求使用者從使用者介面輸入的資料。
有鑒於此，本研究提出Android應用程式安全分析平台－SensiDroid，結合使用者協同分析之方式，讓使用者能夠指定應用程式中會取得使用者敏感資料的資料輸入欄位，並將該欄位資訊提供至SensiDroid。SensiDroid透過追蹤資料流之方法，針對使用者指定會輸入敏感資料的使用者輸入欄位進行分析，以發現誤用的情況。而本文的主要貢獻，就是補強既有惡意程式分析工具之不足，讓使用者能參與整個應用程式安全分析流程，而讓分析結果更能符合使用者需求。

Recently, Smartphones have become very popular. Users store various kinds of important information in their smartphones, making it a target for malicious hackers. Smartphone users would face a serious threat if they accidentally installed malicious applications (or apps for short) developed by malicious hackers.
This study focuses on the Android platform. To discover whether an Android application is malicious, many researchers and organizations have proposed static and dynamic analysis methods to detect malicious Android applications. Static analysis analyzes the source code or manifest file of the application. Dynamic analysis executes the application in a modified system to collect relevant information. However, to the best of our knowledge, current Android application analysis tools and methodologies usually do not consider the personal data collected from user inputs.
Therefore, this study proposes SensiDroid to enable users to specify fields of user inputs that applications may collect sensitive data. Application users can participate in the security analysis process by identifying user input fields that may collect sensitive data. Therefore, SensiDroid can identify whether an application leaks data collected from the identified user input fields to malicious targets. Therefore, this study can hopefully complement current Android application security analysis tools to improve application security.

[1] 2016 Trend Micro Security Predictions: The Fine Line. Retrieved June 30, 2016, from http://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2016
[2] Android Open Source Project. Retrieved June 30, 2016, from https://source.android.com/
[3] Android System Architecture. Retrieved June 30, 2016, from https://upload.wikimedia.org/wikipedia/commons/thumb/a/af/Android-System-Architecture.svg/906px-Android-System-Architecture.svg.png
[4] Apktool. Retrieved June 30, 2016, from https://ibotpeaches.github.io/Apktool/
[5] Apple App Store. Retrieved June 30, 2016, from https://itunes.apple.com/tw/genre/ios/id36?mt=8
[6] Dex2jar. Retrieved June 30, 2016, from https://github.com/pxb1988/dex2jar
[7] Droidbox. Retrieved June 30, 2016, from https://github.com/pjlantz/droidbox
[8] Google Play. Retrieved June 30, 2016, from https://play.google.com/store?hl=zh_TW
[9] Microsoft Store. Retrieved June 30, 2016, from https://www.microsoft.com/zh-tw/store/apps/windows
[10] Monkey. Retrieved June 30, 2016, from http://developer.android.com/intl/zh-tw/tools/help/monkey.html
[11] OWASP-Mobile Top 10 2016-Top 10. Retrieved June 30, 2016, from https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
[12] Soot. Retrieved June 30, 2016, from https://github.com/Sable/soot
[13] Taintdroid. Retrieved June 30, 2016, from http://www.appanalysis.org/index.html
[14] TrendForce Says Huawei Led the Global Rise of Chinese Smartphone Brands in 2015 by Shipping Over 100 Million Units to Take No. 3 Worldwide. Retrieved June 30, 2016, from http://press.trendforce.com/press/20160114-2265.html
[15] UIAutomator. Retrieved June 30, 2016, from http://developer.android.com/intl/zh-tw/tools/testing-support-library/index.html#UIAutomator
[16] 管理應用程式權限 (Android 6.0 以上版本). Retrieved June 30, 2016, from https://support.google.com/googleplay/answer/6270602
[17] Chenkai Guo, Jing Xu, Hongji Yang, Ying Zeng, and Shuang Xing. 2014. An automated testing approach for inter-application security in Android. In Proceedings of the 9th International Workshop on Automation of Software Test (AST 2014). ACM, New York, NY, USA, 8-14.
[18] Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. 2012. AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. In Proceedings of the 5th international conference on Trust and Trustworthy Computing (TRUST'12), Stefan Katzenbeisser, Edgar Weippl, L. Jean Camp, Melanie Volkamer, and Mike Reiter (Eds.). Springer-Verlag, Berlin, Heidelberg, 291-307.
[19] Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: statically vetting Android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12). ACM, New York, NY, USA, 229-240.
[20] Michael Backes, Sven Bugiel, Christian Hammer, Oliver Schranz, Philipp Styp-Rekowsky von. 2015. Boxify: Full-fledged app sandboxing for stock android. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, pp. 691–706.
[21] Michael Spreitzenbarth, Felix Freiling, Florian Echtler, Thomas Schreck, and Johannes Hoffmann. 2013. Mobile-sandbox: having a deeper look into android applications. In Proceedings of the 28th Annual ACM Symposium on Applied Computing (SAC '13). ACM, New York, NY, USA, 1808-1815.
[22] Roee Hay, Omer Tripp, and Marco Pistoia. 2015. Dynamic detection of inter-application communication vulnerabilities in Android. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (ISSTA 2015). ACM, New York, NY, USA, 118-128.
[23] Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '14). ACM, New York, NY, USA, 259-269.
[24] Sufatrio, Darell J. J. Tan, Tong-Wei Chua, and Vrizlynn L. L. Thing. 2015. Securing Android: A Survey, Taxonomy, and Challenges. ACM Comput. Surv. 47, 4, Article 58 (May 2015), 45 pages.
[25] Suzanna Schmeelk, Junfeng Yang, and Alfred Aho. 2015. Android Malware Static Analysis Techniques. In Proceedings of the 10th Annual Cyber and Information Security Research Conference (CISR '15). ACM, New York, NY, USA, , Article 5 , 8 pages.
[26] Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, and Sotiris Ioannidis. 2014. Rage against the virtual machine: hindering dynamic analysis of Android malware. In Proceedings of the Seventh European Workshop on System Security (EuroSec '14). ACM, New York, NY, USA, , Article 5 , 6 pages.
[27] William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2010. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation (OSDI'10). USENIX Association, Berkeley, CA, USA, 393-407.
[28] William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2014. TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones. Commun. ACM 57, 3 (March 2014), 99-106.
[29] Xin Chen and Sencun Zhu. 2015. DroidJust: automated functionality-aware privacy leakage analysis for Android applications. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec '15). ACM, New York, NY, USA, , Article 5 , 12 pages.
[30] Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X. Sean Wang, and Binyu Zang. 2013. Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS '13). ACM, New York, NY, USA, 611-622
[31] Yury Zhauniarovich, Maqsood Ahmad, Olga Gadyatskaya, Bruno Crispo, and Fabio Massacci. 2015. StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY '15). ACM, New York, NY, USA, 37-48.
[32] Zach Jorgensen, Jing Chen, Christopher S. Gates, Ninghui Li, Robert W. Proctor, and Ting Yu. 2015. Dimensions of Risk in Mobile Applications: A User Study. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY '15). ACM, New York, NY, USA, 49-60.
[33] Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X. Sean Wang. 2013. AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS '13). ACM, New York, NY, USA, 1043-1054.
[34] 查士朝, 蔡育軒, 呂紹剛, 劉子慶, 鐘珮珊, 王晨芳, 徐肇陽. 2015. PathDrawoid: 能呈現 Android 應用程式敏感資料流向的動態分析平台. 第二十五屆全國資訊安全會議(cisc2015)