Comparing accuracy and performance of the state-of-art static taint analysis tools for Android applications

There are numerous static analysis techniques for identifying information flows in mobile applications. These techniques are compared to each other, usually on a set of syntactic benchmarks. Yet, configurations used for such comparisons are rarely described. Our investigation shows that tools are often compared under different setup, rendering the comparisons irreproducible and largely inaccurate.

In this project, we provided a large, controlled, and independent comparison of the three most prominent static analysis tools: FlowDroid combined with IccTA, AmanDroid, and DroidSafe. We evaluated all tools using common configuration setup and the same set of benchmark applications. We compared the results of our analysis to the results reported in previous studies, identified main reasons for inaccuracy in existing tools, and provided suggestions for future research.

This is collaboration work with Lina Qiu and my supervisor, Prof. Julia Rubin. It is published as the paper Analyzing the analyzers: FlowDroid/IccTA, AmanDroid, and DroidSafe in ISSTA 2018.