We described how we chose the tool configurations for each tool in detail in Section 3.2 of our paper; and we provided the list of sources and sinks we used in Section 3.4 (Table 3) of our paper
This section contains (1) the full list of benchmarks (from DroidBench and ICCBench) that we use in our study, (2) target criterion of each application, and (3) the ground truth we follow, determined by the list of sources/sinks and tool configurations we use.
There are seven columns in the table. Here we explain every column and provide suggestions to the readers about how to read the table:
blue
.| Category | AppID | AppName | Target CriteriaID | TargetCriteriaDescription | # designer's expected flow(s) | # our expected flow(s) |
| DroidBench | ||||||
| 1. Aliasing | 1 | Merge1 | DB1.1 | Aliases must be computed precisely or a false positive will be found. | 0 | 1 |
| 2. Android Specific | 2 | ApplicationModeling1 | DB2.1 | The analysis tool has to be able to resolve explicit Intent carrying tainted sensitive information. | 1 | 0 |
| 3 | DirectLeak1 | DB2.2 | The value of a source is directly sent to a sink. | 1 | 1 | |
| 4 | InactiveActivity | DB2.3 | The analysis has to be aware that the activity is set to inactive in manifest file. | 0 | 0 | |
| 5 | Library2 | DB2.4 | The analysis must correctly handle custom libraries. | 1 | 1 | |
| 6 | LogNoLeak | DB2.5 | The analysis has to be aware that no tainted value can reach the sink. | 0 | 0 | |
| 7 | Obfuscation1 | DB2.6 | The analysis must not be fooled by fake implementations of system classes contained in the APK file. | 1 | 1 | |
| 8 | Parcel1 | DB2.7 | Parcel marshall and unmarshalling. | 1 | 1 | |
| 9 | PrivateDataLeak3 | DB2.8 | The analysis must propagate taints across file system accesses. | 2 | 1 | |
| 10 | PublicAPIField1 | DB2.9 | Must have accurate modeling for API classes that expose fields. | 1 | 1 | |
| 11 | PublicAPIField2 | DB2.10 | Analysis must have a model of Intent implementation to setter / getter of Intent fields. | 1 | 1 | |
| 3. Arrays And Lists | 12 | ArrayAccess1 | DB3.1 | The analysis must distinguish between different array positions to recognize that the tainted data does not get leaked. | 0 | 0 |
| 13 | ArrayAccess2 | DB3.2 | The analysis must distinguish between different array positions and has to evaluate the function to recognize that the tainted data does not get leaked. | 0 | 0 | |
| 14 | ArrayCopy1 | DB3.3 | The analysis tool must have a model for System.arraycopy(). | 1 | 1 | |
| 15 | ArrayToString1 | DB3.4 | Have to model that Array.toString invokes toString() for each object of array. | 1 | 1 | |
| 16 | HashMapAccess1 | DB3.5 | The analysis must distinguish between different hash map entries to recognize that the tainted data does not get leaked. | 0 | 0 | |
| 17 | ListAccess1 | DB3.6 | The analysis must distinguish between different list positions to recognize that the tainted data does not get leaked. | 0 | 0 | |
| 18 | MultidimensionalArray1 | DB3.7 | The analysis tool has to be able to track an element within a multidimensional array. | 1 | 1 | |
| 4. Callbacks | 19 | AnonymousClass1 | DB4.1 | The analysis must handle callbacks, anonymous inner classes and static fields. | 2 | 2 |
| 20 | Button1 | DB4.2 | The analysis must analyze the layout xml file and take the lifecycle into account (onCreate is executed before user interaction). | 1 | 1 | |
| 21 | Button2 | DB4.3 | The analysis must be able to analyze listeners, know that callback of button3 is ClickOnButton3 (defined in xml file) and has to handle the arbitrary order of the listener callbacks. | 3 | 3 | |
| 22 | Button3 | DB4.4 | The analysis must be able to detect callback handlers registered in other callback handlers. | 1 | 1 | |
| 23 | Button4 | DB4.5 | The analysis must analyze the layout xml file and correctly handle include directives. | 1 | 1 | |
| 24 | Button5 | DB4.6 | Must correctly model that a Button is represented by a single object in the runtime, and that object is delivered to multiple calls of onClick. | 1 | 1 | |
| 25 | LocationLeak1 | DB4.7 | The analysis must be able to emulate the Android activity lifecycle correctly, integrate the callback method onLocationChanged and detect the callback methods as source. This example contains a location information leakage in the onResume() callback method. The data source is placed into the onLocationChanged() callback method, especially the parameter "loc". | 2 | 2 | |
| 26 | LocationLeak2 | DB4.8 | The analysis must be able to emulate the Android activity lifecycle correctly, integrate the callback method onLocationChanged and detect the callback methods as source. This example contains a location information leakage in the onResume() callback method. The data source is placed into the onLocationChanged() callback method, especially the parameter "loc". In contrast to LocationLeak1 the activity implements the Listener directly (no inner class). | 2 | 2 | |
| 27 | LocationLeak3 | DB4.9 | The analysis must be able to emulate the Android activity lifecycle correctly, integrate the callback method onLocationChanged, detect the callback methods as source and connect the callback class to the activity via the interface. | 1 | 2 | |
| 28 | MethodOverride1 | DB4.10 | The analysis must be able to detect the leak in an internal Android method that is overwritten. | 1 | 1 | |
| 29 | MultiHandlers1 | DB4.11 | The analysis must be able to correctly associate callback handlers with the respective activities. | 0 | 0 | |
| 30 | Ordering1 | DB4.12 | The analysis must take the order of callback registration and sink call into account. | 0 | 0 | |
| 31 | RegisterGlobal1 | DB4.13 | The analysis must support globally-registered callback handlers. | 1 | 1 | |
| 32 | RegisterGlobal2 | 1 | 1 | |||
| 33 | Unregister1 | DB4.14 | The analysis must take into accounts that callbacks can be unregistered again. | 0 | 0 | |
| 5. Emulator Detection | 34 | ContentProvider1 | DB5.1 | The (dynamic) analysis must avoid being detected and circumvented. Sends the IMEI as an SMS message and writes it to the log file. Emulator detection is performed on the IMEI and the app is killed if the IMEI is a 00..00 pattern. | 2 | 2 |
| 35 | IMEI1 | DB5.2 | The (dynamic) analysis must avoid being detected and circumvented. Sends the IMEI as an SMS message and writes it to the log file. Emulator detection is performed by cutting the secret message at an index computed on the IMEI which is known to always be 000..0 on an emulator. | 2 | 0 | |
| 36 | PlayStore1 | DB5.3 | The (dynamic) analysis must avoid being detected and circumvented. Sends the IMEI as an SMS message and writes it to the log file. Emulator detection is performed by checking whether the Play Store app is installed on the system. | 2 | 2 | |
| 6. Field And Object Sensitivity | 37 | FieldSensitivity1 | DB6.1 | The analysis must be able to distinguish between different fields of an object. | 0 | 0 |
| 38 | FieldSensitivity2 | DB6.2 | The analysis must be able to distinguish between different fields of an object. An object has two fields, the one that gets tainted is sent to a sink. | 0 | 0 | |
| 39 | FieldSensitivity3 | DB6.3 | The analysis must be able to distinguish between different fields of an object. This is an easier version of FieldSensitivity1. | 1 | 1 | |
| 40 | FieldSensitivity4 | DB6.4 | The analysis has to consider the order of the statements for tainted fields. | 0 | 0 | |
| 41 | InheritedObjects1 | DB6.5 | The analysis must be able to decide on the subtype of a variable based on a condition. | 1 | 1 | |
| 42 | ObjectSensitivity1 | DB6.6 | The analysis must be able to distinguish between two objects of the same type that are initialized by the same constructor. | 0 | 0 | |
| 43 | ObjectSensitivity2 | DB6.7 | The analysis must be able to remove taints from variables and fields. | 0 | 0 | |
| 7. General Java | 44 | Clone1 | DB7.1 | Must model clone of list. | 1 | 1 |
| 45 | Exceptions1 | DB7.2 | The analysis must handle exceptions. | 1 | 1 | |
| 46 | Exceptions2 | DB7.3 | The analysis must handle implicit exceptions. | 1 | 1 | |
| 47 | Exceptions3 | DB7.4 | The analysis must precisely model which exceptions can occur and which ones can't. | 0 | 0 | |
| 48 | Exceptions4 | DB7.5 | The analysis must handle exception data. | 1 | 1 | |
| 49 | FactoryMethods1 | DB7.6 | The analysis must be able to handle factory methods contained in the operating system. | 2 | 2 | |
| 50 | Loop1 | DB7.7 | The analysis must handle standard java constructs. | 1 | 1 | |
| 51 | Loop2 | 1 | 1 | |||
| 52 | Serialization1 | DB7.8 | Must model serialization. | 1 | 1 | |
| 53 | SourceCodeSpecific1 | DB7.9 | The analysis must handle standard java constructs. Tainted data is created in a condition branch and afterwards sent to a sink in a loop. | 1 | 1 | |
| 54 | StartProcessWithSecret1 | DB7.10 | The analysis tool has to be able to track taint flown to sink through a receiver. | 1 | 1 | |
| 55 | StaticInitialization1 | DB7.11 | The analysis has to consider static initialization. Tainted data is leaked to a sink during static initialization of a class. | 1 | 1 | |
| 56 | StaticInitialization2 | DB7.12 | The analysis has to consider static initialization. Sensitive data is obtained during static initialization of a class and leaked in non-static code. | 1 | 1 | |
| 57 | StaticInitialization3 | DB7.13 | The order of execution of static initializers is not defined in Java. This test stresses a particular order to link a flow. | 1 | 1 | |
| 58 | StringFormatter1 | DB7.14 | Modeling of StringBuffer and StringFormatter. | 1 | 1 | |
| 59 | StringPatternMatching1 | DB7.15 | Flows through multiple object allocated in API code. | 1 | 1 | |
| 60 | StringToCharArray1 | DB7.16 | The analysis tool has to be able to follow taint through character-string conversion. | 1 | 1 | |
| 61 | StringToOutputStream1 | DB7.17 | The analysis tool has to be able to track tainted value through different stream/memory operations. | 1 | 1 | |
| 62 | UnreachableCode | DB7.18 | The analysis has to discover that the unit is not called. | 0 | 0 | |
| 63 | VirtualDispatch1 | DB7.19 | The analysis must be able to handle invoke-virtual statements. Additionally the clickButton() callback must be correctly considered as a callback. | 1 | 1 | |
| 64 | VirtualDispatch2 | DB7.20 | The analysis tool has to be able to differentiate the base and the derived class objects. | 1 | 1 | |
| 65 | VirtualDispatch3 | DB7.21 | The callgraph analysis must be able to deal with factory methods. | 0 | 0 | |
| 8. Inter Component Communication | 66 | ActivityCommunication1 | DB8.1 | The analysis must be able to model the lifecycle of Activities and allow arbitrary execution order of the Activities. | 1 | 1 |
| 67 | ActivityCommunication2 | DB8.2 | The analysis tool has to be able to evaluate substring operation and track tainted value through another Activity. | 1 | 2 | |
| 68 | ActivityCommunication3 | DB8.3 | The analysis tool has to be able to resolve component from a name and track it through startActivity. | 1 | 2 | |
| 69 | ActivityCommunication4 | DB8.4 | The analysis tool needs to be able to analyze constant string with concatenation operation and able to resolve the Intent for the resulted string and follow tainted data to the next Activity. | 1 | 2 | |
| 70 | ActivityCommunication5 | DB8.5 | The analysis tool must be able to resolve Intent's component from a component name and follow the taint to another Activity. | 1 | 2 | |
| 71 | ActivityCommunication6 | DB8.6 | The analysis tool has to be able to track an Intent through a list operation. | 1 | 2 | |
| 72 | ActivityCommunication7 | DB8.7 | The analysis tool has to be able to resolve an Intent of a non-constant Activity class. | 1 | 2 | |
| 73 | ActivityCommunication8 | DB8.8 | The analysis tool has to be able to track a string through the list, then resolve Intent's action and follow the Intent to the Activity to be activated. | 1 | 2 | |
| 74 | BroadcastTaintAndLeak1 | DB8.9 | The analysis tool has to be able to recognize a broadcast receiver and models its IntentFilter. | 1 | 2 | |
| 75 | ComponentNotInManifest1 | DB8.10 | The analysis must recognize that activity is not startable if it is not in the AndroidManifest.xml | 0 | 1 | |
| 76 | EventOrdering1 | DB8.11 | The analysis tool has to be able to take into account different runs of the app. In this case, the end of one run is the source and the beginning of the next run is the sink. | 1 | 1 | |
| 77 | IntentSink1 | DB8.12 | The analysis must be able to track the taint in the intent and recognize the setResult sink. | 1 | 1 | |
| 78 | IntentSink2 | DB8.13 | The analysis must be able to parse the layout xml file correctly, track the taint in the intent and recognize the startActivity sink. | 1 | 1 | |
| 79 | IntentSource1 | DB8.14 | The analysis must be able to track the taint in the intent and recognize the onActivityResult(-1,-1,intent) source. | 2 | 0 | |
| 80 | ServiceCommunication1 | DB8.15 | The analysis tool has to be able through ICC message passing / Handler constructs. | 1 | 1 | |
| 81 | SharedPreferences1 | DB8.16 | Modeling of SharedPreferences. | 1 | 1 | |
| 82 | Singletons1 | DB8.17 | Analysis has to reason about all legal interleavings of separate components. | 1 | 1 | |
| 83 | UnresolvableIntent1 | DB8.18 | The analysis tool has to be able to identify unresolvable Intent and not associate the unresolved Intent with any Activity. | 2 | 3 | |
| 9. Lifecycle | 84 | ActivityLifecycle1 | DB9.1 | The analysis must be able to handle the activity lifecycle correctly and handle try/catch blocks. | 1 | 1 |
| 85 | ActivityLifecycle2 | DB9.2 | The analysis must be able to handle the activity lifecycle correctly and detect the callback method that is inherited from a superclass. | 1 | 1 | |
| 86 | ActivityLifecycle3 | DB9.3 | The analysis must be able to handle the activity lifecycle correctly, in particular the less common instanceState callbacks. | 1 | 1 | |
| 87 | ActivityLifecycle4 | DB9.4 | The analysis must be able to handle the activity lifecycle correctly and deal with loops in the lifecycle because originally onPause is called before onResume. | 1 | 1 | |
| 88 | ActivitySavedState1 | DB9.5 | Event ordering and Activity saved state. | 1 | 1 | |
| 89 | ApplicationLifecycle1 | DB9.6 | Correct handling of the Application object in the component lifecycle. | 1 | 1 | |
| 90 | ApplicationLifecycle2 | DB9.7 | Correct handling of callbacks in the Application object. | 1 | 1 | |
| 91 | ApplicationLifecycle3 | DB9.8 | Correct handling of the Application object and the ContentProvider. Note that the ContentProvider.onCreate() method is called before Application.onCreate() is invoked. | 1 | 1 | |
| 92 | AsynchronousEventOrdering1 | DB9.9 | The analysis must account for all legal ordering of asynch events with respect to the activity lifecycle. | 1 | 1 | |
| 93 | BroadcastReceiverLifecycle1 | DB9.10 | The analysis must be able to handle the broadcast receiver lifecycle correctly and evaluate the condition. | 1 | 1 | |
| 94 | BroadcastReceiverLifecycle2 | DB9.11 | The analysis must be able to handle the dynamic registration of broadcast receivers. | 1 | 1 | |
| 95 | EventOrdering1 | DB9.12 | Test case for considering all possible event orderings for event. There is a leak when onLowMemory is called twice without a call to onContentChanged(). | 1 | 1 | |
| 96 | FragmentLifecycle1 | DB9.13 | The analysis has to be aware of the lifecycle methods of fragments. The fragment is not defined in xml but in the code. | 1 | 1 | |
| 97 | FragmentLifecycle2 | DB9.14 | The analysis tool must handle Fragment, its callbacks, and association with the parent Activity properly. | 1 | 1 | |
| 98 | ServiceLifecycle1 | DB9.15 | The analysis must be able to handle the service lifecycle correctly. | 1 | 1 | |
| 99 | ServiceLifecycle2 | DB9.16 | Same service object is used for each startService -> onStartCommand call. | 1 | 1 | |
| 100 | SharedPreferenceChanged1 | DB9.17 | In this case, the change listener has to be called with the shared preferences that are changed. | 1 | 1 | |
| 10. Reflection | 101 | Reflection1 | DB10.1 | The analysis must be able to handle reflective class instantiations. | 1 | 1 |
| 102 | Reflection2 | DB10.2 | The analysis must be able to handle code implemented in classes loaded using reflection. | 1 | 1 | |
| 103 | Reflection3 | DB10.3 | The analysis must be able to reflective invocations of methods without type of information on the target class. | 1 | 1 | |
| 104 | Reflection4 | DB10.4 | The analysis must be able to correctly handle sources and sinks in classes used through reflection. | 1 | 1 | |
| 11. Threading | 105 | AsyncTask1 | DB11.1 | The analysis must be able to correctly handle Android's AsyncTask mechanism. | 1 | 1 |
| 106 | Executor1 | DB11.2 | The analysis must be able to correctly handle Java's Executor mechanism. | 1 | 1 | |
| 107 | JavaThread1 | DB11.3 | The analysis must be able to correctly handle Java threads. Sensitive data is read in onCreate() and send out in a dedicated thread started using Java's normal threading mechanism. | 1 | 1 | |
| 108 | JavaThread2 | DB11.4 | The analysis must be able to correctly handle Java threads. Sensitive data is read in onCreate() and send out in a dedicated thread started using Java's Runnable mechanism. | 1 | 1 | |
| 109 | Looper1 | DB11.5 | The analysis must be able to correctly handle Android's Looper infrastructure. | 1 | 1 | |
| ICCBench | ||||||
| 1. Icc Handling | 1 | icc_explicit_nosrc_nosink | ICC1.1 | The analysis must be able to resolve explicit ICC calls and handle data flow across different components. Insensitive v is sent to component FooActivity via explicit ICC. | 0 | 0 |
| 2 | icc_explicit_nosrc_sink | 0 | 0 | |||
| 3 | icc_explicit_src_nosink | ICC1.2 | The analysis must be able to resolve explicit ICC calls and handle data flow across different components. The value v of a source is sent to component FooActivity via explicit ICC. | 0 | 1 | |
| 4 | icc_explicit_src_sink | 1 | 2 | |||
| 13 | icc_explicit1 | 1 | 2 | |||
| 5 | icc_implicit_nosrc_nosink | ICC1.3 | The analysis must be able to resolve implicit (Action) ICC calls and handle data flow across different components. Insensitive value v is sent to component FooActivity via implicit ICC. | 0 | 0 | |
| 6 | icc_implicit_nosrc_sink | 0 | 0 | |||
| 7 | icc_implicit_src_nosink | ICC1.4 | The analysis must be able to resolve implicit (Action) ICC calls and handle data flow across different components. The value v of a source is sent to component FooActivity via implicit ICC. | 1 | 1 | |
| 8 | icc_implicit_src_sink | 2 | 2 | |||
| 14 | icc_implicit_action | 2 | 2 | |||
| 9 | icc_intentservice | ICC1.5 | The analysis must be able to resolve IntentService and handle data flow across different components. | 1 | 1 | |
| 10 | icc_stateful | ICC1.6 | The analysis must be able to resolve stateful ICC call and handle data flow across different components. | 3 | 2 | |
| 2. Icc Target Finding | 11 | icc_dynregister1 | ICC2.1 | The analysis must be able to resolve dynamically registered component, implicit ICC calls and handle data flow across different components. | 2 | 2 |
| 12 | icc_dynregister2 | ICC2.2 | The analysis must be able to handle string manipulation, resolve dynamically registered component, implicit ICC calls and handle data flow across different components. | 2 | 2 | |
| 15 | icc_implicit_category | ICC2.3 | The analysis must be able to resolve implicit (Categories) ICC calls and handle data flow across different components. | 2 | 2 | |
| 16 | icc_implicit_data1 | ICC2.4 | The analysis must be able to resolve implicit (Data) ICC calls and handle data flow across different components. | 2 | 2 | |
| 17 | icc_implicit_data2 | ICC2.5 | The analysis must be able to resolve implicit (MType) ICC calls and handle data flow across different components. | 2 | 2 | |
| 18 | icc_implicit_mix1 | ICC2.6 | The analysis must be able to resolve implicit (Data & MType) ICC calls and handle data flow across different components. | 3 | 3 | |
| 19 | icc_implicit_mix2 | ICC2.7 | The analysis must be able to resolve implicit (Mix all) ICC calls and handle data flow across different components. | 2 | 2 | |
| 3. Mixed | 20 | icc_rpc_comprehensive | ICC3.1 | The analysis must be able to resolve AIDL, stateful ICC and handle data flow across different components. | 3 | 2 |
| 4. Rpc Handling | 21 | rpc_localservice | ICC4.1 | The analysis must be able to resolve LocalService and handle data flow across different components. | 1 | 1 |
| 22 | rpc_messengerservice | ICC4.2 | The analysis must be able to resolve MessengerService and handle data flow across different components. | 1 | 1 | |
| 23 | rpc_remoteservice | ICC4.3 | The analysis must be able to resolve AIDL and handle data flow across different components. | 1 | 1 | |
| 24 | rpc_returnsensitive | ICC4.4 | The analysis must be able to resolve LocalService and handle data flow across different components. | 1 | 1 | |
| CriteriaID | CriteriaDescription |
| UBC1 | Handle taint propagation through setHint() and getHint() methods of Android widgets [IccTA, AmanDroid]. |
| UBC2 | Detect flows from location-related sources to sinks. [AmanDroid]. |
| UBC3 | Do not treat callback Intent parameters as sources [AmanDroid]. |
| UBC4 | Report correct entry method of the flow [DroidSafe]. |
| UN | Fail to detect flow due to unknown reasons [IccTA, AmanDroid, DroidSafe]. |
| Tool is crushed with exceptions (NullPointerException, etc.) during analysis [IccTA]. |
In this section, we detailedly list our manual inspection results about sources of failures on a benchmark basis. The table below have multiple columns, we will describe each column and provide instructions on how to read the table.
The table consists of two main parts, which are:highlighted
flows reported by tools which are not original designed for the tool.| App | TargetCriteriaID | FlowDroid+IccTA | AmanDroid | DroidSafe | |||||||||
| FP | FN | FP | FN | FP | FN | ||||||||
| #FP | Criteria | #FN | Criteria | #FP | Criteria | #FN | Criteria | #FP | Criteria | #FN | Criteria | ||
| DroidBench | |||||||||||||
| 1.Merge1 | DB1.1 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 2.ApplicationModeling1 | DB2.1 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 3.DirectLeak1 | DB2.2 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 4.InactiveActivity | DB2.3 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 5.Library2 | DB2.4 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 6.LogNoLeak | DB2.5 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 7.Obfuscation1 | DB2.6 | 0 | 0 | 0 | 0 | 0 | 1 | 1xDB2.6 | |||||
| 8.Parcel1 | DB2.7 | 0 | 0 | 0 | 1 | 1xDB2.7 | 0 | 0 | |||||
| 9.PrivateDataLeak3 | DB2.8 | 0 | 1 | 1xDB2.8 | 0 | 1 | 1xDB2.8 | 0 | 0 | ||||
| 10.PublicAPIField1 | DB2.9 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 11.PublicAPIField2 | DB2.10 | 0 | 1 | 1xDB2.10 | 0 | 0 | 0 | 0 | |||||
| 12.ArrayAccess1 | DB3.1 | 1 | 1xDB3.1 | 0 | 1 | 1xDB3.1 | 0 | 1 | 1xDB3.1 | 0 | |||
| 13.ArrayAccess2 | DB3.2 | 1 | 1xDB3.2 | 0 | 1 | 1xDB3.2 | 0 | 1 | 1xDB3.2 | 0 | |||
| 14.ArrayCopy1 | DB3.3 | 0 | 0 | 0 | 1 | 1xDB3.3 | 0 | 0 | |||||
| 15.ArrayToString1 | DB3.4 | 0 | 0 | 0 | 1 | 1xDB3.4 | 0 | 0 | |||||
| 16.HashMapAccess1 | DB3.5 | 1 | 1xDB3.5 | 0 | 1 | 1xDB3.5 | 0 | 1 | 1xDB3.5 | 0 | |||
| 17.ListAccess1 | DB3.6 | 1 | 1xDB3.6 | 0 | 1 | 1xDB3.6 | 0 | 1 | 1xDB3.6 | 0 | |||
| 18.Multidimensio-lArray1 | DB3.7 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 19.AnonymousClass1 | DB4.1 | 0 | 0 | 2 | 1xDB6.1; 1xUBC2 |
2 | 2xUBC2 | 0 | 0 | ||||
| 20.Button1 | DB4.2 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 21.Button2 | DB4.3 | 1 | 1xDB6.7 | 0 | 0 | 0 | 1 | 1xDB6.4 | 0 | ||||
| 22.Button3 | DB4.4 | 0 | 0 | 0 | 1 | 1xDB4.4 | 0 | 0 | |||||
| 23.Button4 | DB4.5 | 0 | 0 | 0 | 1 | 1xDB4.5 | 0 | 0 | |||||
| 24.Button5 | DB4.6 | 0 | 1 | 1xUBC1 | 0 | 1 | 1xUBC1 | 0 | 0 | ||||
| 25.LocationLeak1 | DB4.7 | 0 | 0 | 3 | 1xDB6.1;
2xUBC2 |
2 | 2xUBC2 | 0 | 0 | ||||
| 26.LocationLeak2 | DB4.8 | 0 | 0 | 3 | 1xDB6.1;
2xUBC2 |
2 | 2xUBC2 | 0 | 0 | ||||
| 27.LocationLeak3 | DB4.9 | 0 | 0 | 2 | 1xDB6.1;
1xUBC2 |
2 | 2xUBC2 | 0 | 0 | ||||
| 28.MethodOverride1 | DB4.10 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 29.MultiHandlers1 | DB4.11 | 0 | 0 | 4 | 4xDB4.11 | 0 | 0 | 0 | |||||
| 2xDB6.1; 2xUBC2 |
|||||||||||||
| 30.Ordering1 | DB4.12 | 0 | 0 | 3 | 3xDB4.12 | 0 | 2 | 2xDB4.12 | 0 | ||||
| 1xDB6.1; 2xUBC2 |
|||||||||||||
| 31.RegisterGlobal1 | DB4.13 | 0 | 0 | 0 | 1 | 1xDB4.13 | 0 | 0 | |||||
| 32.RegisterGlobal2 | 0 | 0 | 0 | 1 | 1xDB4.13 | 0 | 0 | ||||||
| 33.Unregister1 | DB4.14 | 1 | 1xDB4.14 | 0 | 1 | 1xDB4.14 | 0 | 1 | 1xDB4.14 | 0 | |||
| 34.ContentProvider1 | DB5.1 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 35.IMEI1 | DB5.2 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 36.PlayStore1 | DB5.3 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 37.FieldSensitivity1 | DB6.1 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 38.FieldSensitivity2 | DB6.2 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 39.FieldSensitivity3 | DB6.3 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 40.FieldSensitivity4 | DB6.4 | 0 | 0 | 0 | 0 | 1 | 1xDB6.4 | 0 | |||||
| 41.InheritedObjects1 | DB6.5 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 42.ObjectSensitivity1 | DB6.6 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 43.ObjectSensitivity2 | DB6.7 | 0 | 0 | 0 | 0 | 1 | 1xDB6.7 | 0 | |||||
| 44.Clone1 | DB7.1 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 45.Exceptions1 | DB7.2 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 46.Exceptions2 | DB7.3 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 47.Exceptions3 | DB7.4 | 1 | 1xDB7.4 | 0 | 1 | 1xDB7.4 | 0 | 1 | 1xDB7.4 | 0 | |||
| 48.Exceptions4 | DB7.5 | 0 | 0 | 0 | 1 | 1xDB7.5 | 0 | 0 | |||||
| 49.FactoryMethods1 | DB7.6 | 0 | 0 | 1 | 1xDB6.1 | 2 | 2xUBC2 | 0 | 0 | ||||
| 50.Loop1 | DB7.7 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 51.Loop2 | 0 | 0 | 0 | 0 | 0 | 0 | |||||||
| 52.Serialization1 | DB7.8 | 0 | 1 | 1xDB7.8 | 0 | 1 | 1xDB7.8 | 0 | 0 | ||||
| 53.SourceCodeSpecific1 | DB7.9 | 0 | 0 | 4 | 1xDB6.1;
3xUN |
0 | 0 | 0 | |||||
| 54.StartProcessWithSecret1 | DB7.10 | 0 | 0 | 0 | 1 | 1xDB7.10 | 0 | 0 | |||||
| 55.StaticInitialization1 | DB7.11 | 0 | 1 | 1xDB7.11 | 0 | 0 | 0 | 0 | |||||
| 56.StaticInitialization2 | DB7.12 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 57.StaticInitialization3 | DB7.13 | 0 | 1 | 1xDB7.13 | 0 | 0 | 0 | 0 | |||||
| 58.StringFormatter1 | DB7.14 | 0 | 1 | 1xDB7.14 | 0 | 1 | 1xDB7.14 | 0 | 0 | ||||
| 59.StringPatternMatching1 | DB7.15 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 60.StringToCharArray1 | DB7.16 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 61.StringToOutputStream1 | DB7.17 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 62.UnreachableCode | DB7.18 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 63.VirtualDispatch1 | DB7.19 | 1 | 1xDB7.19 | 0 | 1 | 1xDB7.19 | 0 | 1 | 1xUBC4 | 1 | 1xUBC4 | ||
| 64.VirtualDispatch2 | DB7.20 | 1 | 1xDB7.20 | 0 | 0 | 0 | 0 | 0 | |||||
| 65.VirtualDispatch3 | DB7.21 | 1 | 1xDB7.21 | 0 | 0 | 0 | 0 | 0 | |||||
| 66.ActivityCommunication1 | DB8.1 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 67.ActivityCommunication2 | DB8.2 | 0 | 1 | 1xDB8.2 | 2 | 1xDB8.2 | 0 | 0 | 0 | ||||
| 1xDB6.1 | |||||||||||||
| 68.ActivityCommunication3 | DB8.3 | 0 | 1 | 1xDB8.3 | 0 | 0 | 0 | 0 | |||||
| 69.ActivityCommunication4 | DB8.4 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 70.ActivityCommunication5 | DB8.5 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 71.ActivityCommunication6 | DB8.6 | 0 | 1 | 1xDB8.6 | 0 | 0 | 0 | 0 | |||||
| 72.ActivityCommunication7 | DB8.7 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 73.ActivityCommunication8 | DB8.8 | 0 | 1 | 1xDB8.8 | 0 | 0 | 0 | 0 | |||||
| 74.BroadcastTaintAndLeak1 | DB8.9 | 0 | 0 | 1 | 1xDB6.1 | 0 | 0 | 1 | 1xUN | ||||
| 75.ComponentNotInManifest1 | DB8.10 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 76.EventOrdering1 | DB8.11 | 0 | 1 | 1xDB8.16 | 0 | 1 | 1xDB8.16 | 0 | 0 | ||||
| 77.IntentSink1 | DB8.12 | 0 | 0 | 1 | 1xDB6.1 | 0 | 0 | 0 | |||||
| 78.IntentSink2 | DB8.13 | 0 | 0 | 1 | 1xDB6.1 | 0 | 1 | 1xUN | 0 | ||||
| 79.IntentSource1 | DB8.14 | 0 | 0 | 3 | 1xDB6.1;
3xUBC3 |
0 | 0 | 0 | |||||
| 80.ServiceCommunication1 | DB8.15 | 0 | 1 | 1xUN | 0 | 0 | 0 | 0 | |||||
| 81.SharedPreferences1 | DB8.16 | 0 | 1 | 1xDB8.16 | 0 | 1 | 1xDB8.16 | 0 | 0 | ||||
| 82.Singletons1 | DB8.17 | 0 | 0 | 0 | 1 | 1xDB8.17 | 0 | 0 | |||||
| 83.UnresolvableIntent1 | DB8.18 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 84.ActivityLifecycle1 | DB9.1 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 85.ActivityLifecycle2 | DB9.2 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 86.ActivityLifecycle3 | DB9.3 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 87.ActivityLifecycle4 | DB9.4 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 88.ActivitySavedState1 | DB9.5 | 0 | 1 | 1xDB9.5 | 0 | 1 | 1xDB9.5 | 1 | 1xUBC4 | 1 | 1xUBC4 | ||
| 89.ApplicationLifecycle1 | DB9.6 | 0 | 0 | 0 | 1 | 1xDB9.6 | 1 | 1xUBC4 | 1 | 1xUBC4 | |||
| 90.ApplicationLifecycle2 | DB9.7 | 0 | 0 | 0 | 1 | 1xDB9.7 | 1 | 1xUBC4 | 1 | 1xUBC4 | |||
| 91.ApplicationLifecycle3 | DB9.8 | 0 | 0 | 0 | 1 | 1xDB9.8 | 1 | 1xUBC4 | 1 | 1xUBC4 | |||
| 92.AsynchronousEventOrdering1 | DB9.9 | 0 | 0 | 0 | 0 | 1 | 1xUBC4 | 1 | 1xUBC4 | ||||
| 93.BroadcastReceiverLifecycle1 | DB9.10 | 0 | 1 | 1xUN | 0 | 0 | 0 | 0 | |||||
| 94.BroadcastReceiverLifecycle2 | DB9.11 | 0 | 1 | 1xDB9.11 | 0 | 1 | 1xDB9.11 | 0 | 0 | ||||
| 95.EventOrdering1 | DB9.12 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 96.FragmentLifecycle1 | DB9.13 | 0 | 0 | 0 | 0 | 1 | 1xUBC4 | 1 | 1xUBC4 | ||||
| 97.FragmentLifecycle2 | DB9.14 | 0 | 1 | 1xDB9.14 | 0 | 1 | 1xUN | 1 | 1xUBC4 | 0 | |||
| 98.ServiceLifecycle1 | DB9.15 | 0 | 1 | 1xUN | 0 | 0 | 1 | 1xUBC4 | 1 | 1xUBC4 | |||
| 99.ServiceLifecycle2 | DB9.16 | 0 | 0 | 0 | 0 | 1 | 1xUBC4 | 0 | |||||
| 100.SharedPreferenceChanged1 | DB9.17 | 0 | 1 | 1xDB9.17 | 0 | 1 | 1xDB9.17 | 1 | 1xUBC4 | 1 | 1xUBC4 | ||
| 101.Reflection1 | DB10.1 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 102.Reflection2 | DB10.2 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 103.Reflection3 | DB10.3 | 0 | 0 | 0 | 1 | 1xDB10.3 | 0 | 0 | |||||
| 104.Reflection4 | DB10.4 | 0 | 0 | 0 | 0 | 0 | 0 | ||||||
| 105.AsyncTask1 | DB11.1 | 0 | 0 | 0 | 0 | 1 | 1xUBC4 | 1 | 1xUBC4 | ||||
| 106.Executor1 | DB11.2 | 0 | 0 | 0 | 0 | 1 | 1xUBC4 | 1 | 1xUBC4 | ||||
| 107.JavaThread1 | DB11.3 | 0 | 0 | 0 | 0 | 1 | 1xUBC4 | 0 | |||||
| 108.JavaThread2 | DB11.4 | 0 | 0 | 0 | 0 | 1 | 1xUBC4 | 1 | 1xUBC4 | ||||
| 109.Looper1 | DB11.5 | 0 | 0 | 0 | 0 | 1 | 1xUBC4 | 1 | 1xUBC4 | ||||
| ICCBench | |||||||||||||
| 1.icc_explicit_nosrc_nosink | ICC1.1 | 0 | 0 | 0 | 0 | NA | |||||||
| 2.icc_explicit_nosrc_sink | 0 | 0 | 0 | 0 | |||||||||
| 3.icc_explicit_src_nosink | ICC1.2 | 0 | 0 | 0 | 0 | ||||||||
| 4.icc_explicit_src_sink | 0 | 0 | 0 | 0 | |||||||||
| 5.icc_implicit_nosrc_nosink | ICC1.3 | 0 | 0 | 0 | 0 | ||||||||
| 6.icc_implicit_nosrc_sink | 0 | 0 | 0 | 0 | |||||||||
| 7.icc_implicit_src_nosink | ICC1.4 | 0 | 0 | 0 | 0 | ||||||||
| 8.icc_implicit_src_sink | 0 | 0 | 0 | 0 | |||||||||
| 9.icc_intentservice | ICC1.5 | 0 | 0 | 0 | 0 | ||||||||
| 10.icc_stateful | ICC1.6 | 0 | 0 | 2 | 1xDB6.1; 1xUBC3 |
0 | |||||||
| 11.icc_dynregister1 | ICC2.1 | 0 | 0 | 0 | 0 | ||||||||
| 12.icc_dynregister2 | ICC2.2 | 0 | 0 | 1 | 1xICC2.2 | 0 | |||||||
| 13.icc_explicit1 | ICC1.2 | 0 | 0 | 0 | 0 | ||||||||
| 14.icc_implicit_action | ICC1.4 | 0 | 0 | 0 | 0 | ||||||||
| 15.icc_implicit_category | ICC2.3 | 0 | 0 | 0 | 0 | ||||||||
| 16.icc_implicit_data1 | ICC2.4 | 0 | 1 | 1xICC2.4 | 0 | 0 | |||||||
| 17.icc_implicit_data2 | ICC2.5 | 0 | 1 | 1xICC2.5 | 0 | 0 | |||||||
| 18.icc_implicit_mix1 | ICC2.6 | 0 | 0 | 1 | 1xDB6.1 | 0 | |||||||
| 19.icc_implicit_mix2 | ICC2.7 | 0 | 0 | 0 | 0 | ||||||||
| 20.icc_rpc_comprehensive | ICC3.1 | 0 | 2 | 2xUN | 2 | 1xDB6.1; 1xUBC3 |
0 | ||||||
| 21.rpc_localservice | ICC4.1 | 0 | 1 | 1xUN | 0 | 0 | |||||||
| 22.rpc_messengerservice | ICC4.2 | 0 | 1 | 1xUN | 0 | 0 | |||||||
| 23.rpc_remoteservice | ICC4.3 | 0 | 1 | 1xUN | 0 | 0 | |||||||
| 24.rpc_returnsensitive | ICC4.4 | 0 | 1 | 1xUN | 0 | 0 | |||||||
We developed a set of benchmarks used in the paper, called UBCBench, you can find it HERE