Google Play Apps
Login scenario
Distribution of API levels
We downloaded top 100 apps from each of the 58 free app categories in the Canadian Google Play Store as of December 2019, arriving at 5,569 apps. We listed the distribution of API levels of these Google Play apps in the following table.
We did not find any app of API level 6 or below, thus these API levels are omitted in the following table. In addition, there are 14 apps that we cannot extract the API levels.
| API Level | # of apps at this level (%) | # of apps below this level (%) |
|---|---|---|
| 7 | 2 (0.04%) | 2 (0.04%) |
| 8 | 1 (0.02%) | 3 (0.05%) |
| 9 | 2 (0.04%) | 5 (0.09%) |
| 10 | 1 (0.02%) | 6 (0.11%) |
| 11 | 0 (0.00%) | 6 (0.11%) |
| 12 | 0 (0.00%) | 6 (0.11%) |
| 13 | 1 (0.02%) | 7 (0.13%) |
| 14 | 6 (0.11%) | 13 (0.23%) |
| 15 | 0 (0.00%) | 13 (0.23%) |
| 16 | 3 (0.05%) | 16 (0.29%) |
| 17 | 3 (0.05%) | 19 (0.34%) |
| 18 | 1 (0.02%) | 20 (0.36%) |
| 19 | 9 (0.16%) | 29 (0.52%) |
| 20 | 0 (0.00%) | 29 (0.52%) |
| 21 | 14 (0.25%) | 43 (0.77%) |
| 22 | 27 (0.48%) | 70 (1.26%) |
| 23 | 41 (0.74%) | 111 (1.99%) |
| 24 | 23 (0.41%) | 134 (2.41%) |
| 25 | 54 (0.97%) | 188 (3.38%) |
| 26 | 439 (7.88%) | 627 (11.26%) |
| 27 | 342 (6.14%) | 969 (17.40%) |
| 28 | 3802 (68.27%) | 4771 (85.67%) |
| 29 | 782 (14.04%) | 5553 (99.71%) |
| 30 | 2 (0.04%) | 5555 (99.75%) |
| Unknown | 14 (0.25%) | NA |
The first step of our Google Play apps selection is to keep apps of API level 25 or below. This selection resulted in 188 apps.
Login Identification
After retriving the API level of each app, we kept apps of API level 25 or below. This selection resulted in 188 apps. We then executed every app on a device for 20 minutes, and check whether the app contains any authentication functionality. We confirmed reliable authentication mechanism in 51 out of 188 apps.
In this section, we listed all 51 apps with reliable authentication mechanism. We also provide what type of login functionality we identified from each app.
The following table consists of these columns:
- APILevel: The API level of an app. We sorted all the apps by their API levels, from the smallest one to the largest one.
- AppName: The full package name of the app.
- Category: On Google Play Store, apps are categorized into 58 categories, e.g., AUTO_AND_VEHICLES, BOOKS_AND_REFERENCE. We listed the category of an app on Google Play Store in this column. An app may from multiple categories, e.g., com.facebook.katana from both APPLICATION and SOCIAL categories. We confirmed that the APKs from different categories with the same app name are identical.
- LoginType: What type of login functionality we identified from each app. There are mainly two types of login:
- Traditional: Login functionality is not delegated to third-party OAuth service providers.
- OAuth (including Google Sign In, Facebook Login and Weibo): Login functionality is delegated to third-party OAuth service providers.
- Included/Excluded: Whether we included or excluded an app. For apps that are excluded, we also provided the reason in parentheses.
| APILevel | AppName | Category | LoginType | Included/Excluded |
|---|---|---|---|---|
| 14 | com.echangecadeaux | SOCIAL | Traditional | ✓ |
| 16 | lagamerie.nope | GAME_TRIVIA | Google Sign In | ✗ (OAuth) |
| 17 | com.rtp.livepass.android | SPORTS | Traditional | ✓ |
| 19 | com.tripadvisor.tripadvisor | TRAVEL_AND_LOCAL | Traditional Google Sign In Facebook Login | ✓ |
| 21 | ca.intact.mydrivingdiscount | FINANCE | Traditional | ✓ |
| com.asiandate | SOCIAL | Traditional | ✓ | |
| com.facebook.katana | APPLICATION, SOCIAL | Traditional | ✗ (Highly obfuscated) | |
| com.facebook.orca | ANDROID_WEAR, APPLICATION, COMMUNICATION | Traditional | ✗ (Highly obfuscated) | |
| 22 | ca.passportparking.mobile.passportcanada | MAPS_AND_NAVIGATION | Traditional | ✓ |
| com.aldiko.android | BOOKS_AND_REFERENCE | Traditional | ✓ | |
| com.aldiko.classic | BOOKS_AND_REFERENCE | Traditional | ✓ | |
| com.ninjakiwi.monkeycity | GAME_STRATEGY | Google Sign In | ✗ (OAuth) | |
| com.passportparking.mobile.parkvictoria | MAPS_AND_NAVIGATION | Traditional | ✓ | |
| com.passportparking.mobile.toronto | MAPS_AND_NAVIGATION | Traditional | ✓ | |
| tc.tc.scsm.phonegap | TOOLS | Traditional | ✓ | |
| 23 | co.adultfnder.android | DATING | Traditional | ✗ (WebView) |
| com.distinctivegames.hockey2016 | GAME_SPORTS | Google Sign In | ✗ (OAuth) | |
| com.giantssoftware.fs14 | FAMILY, FAMILY_EDUCATION, GAME_SIMULATION | Google Sign In | ✗ (OAuth) | |
| com.luckyslots.slotcircus | GAME_CASINO | Facebook Login | ✗ (OAuth) | |
| com.onetapsolutions.morneau.activity | HEALTH_AND_FITNESS | Traditional | ✓ | |
| com.superluckycasino.billionaire.slots.vegas.android.free | GAME_CASINO | Facebook Login | ✗ (OAuth) | |
| com.superluckycasino.doubleup.slots.vegas.android.free | GAME_CASINO | Facebook Login | ✗ (OAuth) | |
| com.superluckycasino.fortunespin.slots.vegas.android.free | GAME_BOARD | Facebook Login | ✗ (OAuth) | |
| com.superluckycasino.getrich.slots.vegas.android.free | GAME_CARD | Facebook Login | ✗ (OAuth) | |
| com.undergroundcreative.superstarbandmanager | GAME_MUSIC | Traditional | ✗ (WebView) | |
| es.socialpoint.dragonland | GAME_ADVENTURE | Google Sign In Facebook Login | ✗ (OAuth) | |
| ✗et.fieldwire.app | BUSINESS | Traditional | ✓ | |
| 24 | com.ackroo.mrgas | AUTO_AND_VEHICLES | Traditional | ✓ |
| com.adobe.adobephotoshopfix | PHOTOGRAPHY | Traditional | ✗ (WebView) | |
| com.andromo.dev601172.app653895 | HOUSE_AND_HOME | Traditional | ✗ (WebView) | |
| com.robtopx.geometrydashmeltdown | GAME_ARCADE | Traditional | ✗ (Unity) | |
| com.robtopx.geometrydashsubzero | GAME_ARCADE | Traditional | ✗ (Unity) | |
| com.robtopx.geometrydashworld | GAME_ARCADE | Traditional | ✗ (Unity) | |
| com.robtopx.geometryjumplite | GAME_ARCADE | Traditional | ✗ (Unity) | |
| com.zuuks.city.driving | GAME_RACING | Google Sign In Facebook Login | ✗ (OAuth) | |
| 25 | com.adobe.photoshopmix | PHOTOGRAPHY | Traditional | ✗ (WebView) |
| com.adobe.reader | APPLICATION, PRODUCTIVITY | Traditional | ✗ (WebView) | |
| com.airbnb.android | TRAVEL_AND_LOCAL | Traditional Google Sign In Facebook Login | ✓ | |
| com.bonusxp.legend | GAME_ADVENTURE | Google Sign In | ✗ (OAuth) | |
| com.bose.gd.events | EVENTS | Traditional | ✓ | |
| com.eggheadgames.quicklogicproblems | FAMILY_BRAINGAMES | Facebook Login | ✗ (OAuth) | |
| com.instagram.android | APPLICATION, SOCIAL | Traditional Facebook Login | ✗ (Highly obfuscated) | |
| com.kolesnik.pregnancy | PARENTING | Google Sign In | ✗ (OAuth) | |
| com.ludia.tmnt | GAME_ROLE_PLAYING | Google Sign In | ✗ (OAuth) | |
| com.monclubsportif.monclubsportif | SPORTS | Traditional | ✗ (WebView) | |
| com.phonehalo.itemtracker | PRODUCTIVITY | Traditional | ✓ | |
| com.reludo.shootingrangechallenge | GAME_SPORTS | Google Sign In Facebook Login | ✗ (OAuth) | |
| com.snow_trails | AUTO_AND_VEHICLES | Traditional | ✗ (React Native) | |
| com.viagogo.consumer.viagogo.playstore | EVENTS | Traditional Facebook Login | ✓ | |
| com.yelp.android | TRAVEL_AND_LOCAL | Traditional Google Sign In Facebook Login | ✓ | |
| onxmaps.hunt | SPORTS | Traditional Facebook Login | ✓ |
Our final app selection consists of 20 Google Play apps.
Sources and sinks
We provided the list of sources and sinks we used for login-related Google Play apps (SS-GPL) in Section 3.4.2 (Table 6) of our paper.
Spyware scenario
Sources and sinks
We provided the list of sources and sinks we used for spyware Google Play apps (SS-GPS) in Section 3.4.2 (Table 7) of our paper.
Overall selected apps and expected results
This section contains (1) a package contains 26 Google Play apps (login-related and spyware) that we used in our study and details of expected flows (2) a table with information of these Google Play apps that we used in our study and the number of expected flows (ground truth) we identified.
All selected apps and the corresponding expected results can be downloaded here. To compress the size of this package, We did not include the decompiled source code of each app. However, the decompiled tool Jadx v1.0.0 is provided here.
Expected results are stored in docx files, where we highlighted the source and sink methods as well as which variables is tainted in each statement. For example, for the following code snippet:
1 package ubc.junbin;
2 class clz {
3 String a = source(); // source
4 String b = a;
5 sink(b); // sink
6 }
We presents the expected results as:
// expected source and sink are put at the top of a flow
Expected source: source()
Expected sink: sink()
> ubc.junbin.clz: // the class to locate statements
L3: String a = source();
L4: String b = a;
L5: sink(b);
We also provide a set of csv files that can be easily parsed automatically. Each csv file contains an expected flow. For example, for the above code snippit, the csv file may look like the following. The name of Class, LineID, and Line are extracted using Soot v3.3.0.
| ID | Class | LineID | Line |
|---|---|---|---|
| 0 | ubc.junbin.clz | L3 | $r2 = virtualinvoke $r1.<ubc.junbin.clz: java.lang.String source()>(); |
| 1 | ubc.junbin.clz | L4 | $r3 = $r2; |
| 2 | ubc.junbin.clz | L5 | virtualinvoke $r1.<ubc.junbin.clz: void sink()>($r3); |
The following table detailedly presents information of these 26 selected apps, which consists of these columns:
- APILevel: The API level of an app. We sorted all the apps by their API levels, from the smallest one to the largest one.
- AppID: We numbered all Google Play apps we used, from 1 to 26, obeying the order of “APILevel”.
- AppName: The full package name of the app.
- Number of component(s): The number of Android components declared in the manifest file of an app.
- Number of expected flow(s): The number of expected flows.
| APILevel | AppID | AppName | DEXSize (MB) | # of component(s) | # of expected flow(s) |
|---|---|---|---|---|---|
| Login-related Google Play Apps | |||||
| 14 | 1 | com.echangecadeaux | 3.0 | 31 | 1 |
| 17 | 2 | com.rtp.livepass.android | 6.4 | 57 | 1 |
| 19 | 3 | com.tripadvisor.tripadvisor | 5.3 | 79 | 1 |
| 21 | 4 | ca.intact.mydrivingdiscount | 8.8 | 42 | 1 |
| 5 | com.asiandate | 8.4 | 39 | 1 | |
| 22 | 6 | ca.passportparking.mobile.passportcanada | 14.0 | 134 | 1 |
| 7 | com.aldiko.android | 9.5 | 78 | 1 | |
| 8 | com.passportparking.mobile.parkvictoria | 14.7 | 137 | 1 | |
| 9 | com.passportparking.mobile.toronto | 14.1 | 134 | 1 | |
| 10 | tc.tc.scsm.phonegap | 10.0 | 116 | 1 | |
| 23 | 11 | com.onetapsolutions.morneau.activity | 10.2 | 101 | 1 |
| 12 | net.fieldwire.app | 9.8 | 28 | 1 | |
| 24 | 13 | com.ackroo.mrgas | 5.2 | 18 | 15 |
| 25 | 14 | com.airbnb.android | 65.4 | 235 | 1 |
| 15 | com.bose.gd.events | 15.1 | 157 | 1 | |
| 16 | com.phonehalo.itemtracker | 16.7 | 85 | 3 | |
| 17 | com.viagogo.consumer.viagogo.playstore | 13.4 | 20 | 1 | |
| 18 | com.yelp.android | 20.5 | 314 | 1 | |
| 19 | onxmaps.hunt | 11.2 | 58 | 1 | |
| Spyware Google Play Apps | |||||
| 21 | 20 | com.mobistartapp.flashlight | 4.4 | 57 | 7 |
| 21 | com.monitor.phone.s0ft.phonemonitor | 0.7 | 7 | 12 | |
| 23 | 22 | com.mobistartapp.win7imulator | 3.9 | 30 | 3 |
| 25 | 23 | com.mobistartapp.windows7launcher | 4.6 | 77 | 11 |
| 24 | com.tassaly.flappybird | 5.7 | 65 | 7 | |
| 25 | ma.coderoute.hzpermispro | 5.2 | 92 | 7 | |
| Min | 0.7 | 7 | |||
| Max | 65.4 | 314 | |||
| Mean | 11.4 | 88 | |||
| Median | 9.5 | 77 | |||
Sources of failures
Our analysis results can be downloaded here. Our manual inspection results about sources of failures on Google Play apps (both login-related ones and spyware) can be found in Section 5.3 (Table 12) of our paper.
Execution time and memory consumption
In the following table, we detailedly list the execution time (in minutes) of each tool on Google Play apps.
The following table consists of these columns:
- AppID and AppName: These two columns are information of benchmarks, matching AppID, and AppName in Overall selected apps and expected results¶ table.
- The left columns are all about results of studied tools. We list details about the execution time of each tool.
| AppID | AppName | FlowDroid v2.7.1 | DroidRA + FlowDroid v2.7.1 | DroidRA Instrumentation |
|---|---|---|---|---|
| Login-related Google Play Apps | ||||
| 1 | com.echangecadeaux | (EX) | (EX) | 1 |
| 2 | com.rtp.livepass.android | (EX) | (EX) | 169 |
| 3 | com.tripadvisor.tripadvisor | 279 | (EX) | (EX) |
| 4 | ca.intact.mydrivingdiscount | 80 | (EX) | 3 |
| 5 | com.asiandate | (EX) | (EX) | 88 |
| 6 | ca.passportparking.mobile.passportcanada | 1213 | (EX) | 3 |
| 7 | com.aldiko.android | (EX) | (EX) | (EX) |
| 8 | com.passportparking.mobile.parkvictoria | (EX) | (EX) | 2 |
| 9 | com.passportparking.mobile.toronto | 73 | (EX) | 2 |
| 10 | tc.tc.scsm.phonegap | 412 | 413 | 3 |
| 11 | com.onetapsolutions.morneau.activity | 4 | 4 | 2 |
| 12 | net.fieldwire.app | (EX) | (EX) | 4 |
| 13 | com.ackroo.mrgas | 2 | 2 | 3 |
| 14 | com.airbnb.android | (EX) | (EX) | 9 |
| 15 | com.bose.gd.events | 276 | 276 | 36 |
| 16 | com.phonehalo.itemtracker | (EX) | (EX) | 3 |
| 17 | com.viagogo.consumer.viagogo.playstore | 2 | (EX) | (EX) |
| 18 | com.yelp.android | (EX) | (EX) | 3 |
| 19 | onxmaps.hunt | (EX) | (EX) | (EX) |
| Spyware Google Play Apps | ||||
| 20 | com.mobistartapp.flashlight | 2 | (EX) | (EX) |
| 21 | com.monitor.phone.s0ft.phonemonitor | 1 | 1 | 3 |
| 22 | com.mobistartapp.win7imulator | 18 | (EX) | (EX) |
| 23 | com.mobistartapp.windows7launcher | 2 | 1 | 6 |
| 24 | com.tassaly.flappybird | (OOM) | (OOM) | 6 |
| 25 | ma.coderoute.hzpermispro | 3 | 4 | 7 |
| Min | 1 | 1 | 1 | |
| Max | 1213 | 413 | 169 | |
| Mean | 169 | 100 | 19 | |
| Median | 11 | 4 | 3 | |
In the following table, we detailedly list the memory consumption (in MBs) of each tool on Google Play apps. The below table also consists of two main parts, similar to the above table for execution time, while the second part is with memory consumption.
| AppID | AppName | FlowDroid v2.7.1 | DroidRA + FlowDroid v2.7.1 | DroidRA Instrumentation |
|---|---|---|---|---|
| Login-related Google Play Apps | 1 | com.echangecadeaux | (EX) | (EX) | 24301 |
| 2 | com.rtp.livepass.android | (EX) | (EX) | 25820 |
| 3 | com.tripadvisor.tripadvisor | 18355 | (EX) | (EX) |
| 4 | ca.intact.mydrivingdiscount | 989 | (EX) | 27309 |
| 5 | com.asiandate | (EX) | (EX) | 27954 |
| 6 | ca.passportparking.mobile.passportcanada | 5804 | (EX) | 27867 |
| 7 | com.aldiko.android | (EX) | (EX) | (EX) |
| 8 | com.passportparking.mobile.parkvictoria | (EX) | (EX) | 28034 |
| 9 | com.passportparking.mobile.toronto | 7209 | (EX) | 28674 |
| 10 | tc.tc.scsm.phonegap | 1825 | 5766 | 27020 |
| 11 | com.onetapsolutions.morneau.activity | 1792 | 4255 | 25205 |
| 12 | net.fieldwire.app | (EX) | (EX) | 29023 |
| 13 | com.ackroo.mrgas | 986 | 1127 | 23934 |
| 14 | com.airbnb.android | (EX) | (EX) | 30102 |
| 15 | com.bose.gd.events | 1284 | 2561 | 37676 |
| 16 | com.phonehalo.itemtracker | (EX) | (EX) | 27326 |
| 17 | com.viagogo.consumer.viagogo.playstore | 977 | (EX) | (EX) |
| 18 | com.yelp.android | (EX) | (EX) | 28423 |
| 19 | onxmaps.hunt | (EX) | (EX) | (EX) |
| Spyware Google Play Apps | ||||
| 20 | com.mobistartapp.flashlight | 617 | (EX) | (EX) |
| 21 | com.monitor.phone.s0ft.phonemonitor | 137 | 190 | 21814 |
| 22 | com.mobistartapp.win7imulator | 23764 | (EX) | (EX) |
| 23 | com.mobistartapp.windows7launcher | 518 | 517 | 26059 |
| 24 | com.tassaly.flappybird | (OOM) | (OOM) | 27348 |
| 25 | ma.coderoute.hzpermispro | 3359 | 2993 | 30332 |
| Min | 137 | 190 | 21814 | |
| Max | 23764 | 5766 | 37676 | |
| Mean | 4830 | 2487 | 27591 | |
| Median | 1538 | 2561 | 27348 | |