A simplified explanation of taint analysis is a which program which tests all variables, flagging ones that can be written to by user input, and follows these variables to see where they are accessed and sent by the system. Take this overly simplified program for changing a password written in python:
correct = "Hello World"
password = input("Password: ")
if password == correct:
new_password = input("New Password: ")
correct = new_password
Taint analysis would, of course, flag the variables, password, and new_password, as these are both tied directly to an input() function. As well as those, the analysis will also flag correct once line 5 is run as it has now been assigned to the already tainted variable new_password. This type of analysis is extremely useful in determining the flow of user data in applications, allowing users to see if their data stays secure and private.
Now, why exactly is taint analysis so important for Android in particular? Android is the most popular mobile device platform on the market, which, as such, makes it the most important to monitor, as potential data security issues on the platform would affect more people than its competitors.
Furthermore, with Android being open source, anyone can publish an application that the user could, in turn, install to their phone. This means trojan malware could be posted to third party app stores by bad actors which could be used to steal user’s data via exploits. These trojans were even common on the Google Play Store before April 2019, when Google began reviewing submissions before publication.
One example of an exploit that was detectable by taint analysis was detailed by the creators of the analysis system DroidInfer, in their paper about the development of the said system. ‘Until Android 4.0 any app that held the READ_LOGS permission could read all logs’, meaning any application saving personal data to a log for easy retrieval, was unintentionally broadcasting that data to other apps on the operating system.
As such, any trojan application installed on the system with the permission READ_LOGS could, in turn, distribute all logs to bad actors. This is where taint analysis proves itself useful. By keeping track of all user inputted data on the system it can where that data flowed, identifying the apps that either unintentionally or maliciously leaked data to logs, as well as identifying apps that flowed logged data to the Internet. This allowed for accurate identification of both malware and poorly secured apps.
Taint analysis systems granting the user the ability to practically audit an app without actively analysing the source code helps improving overall security on Android. It is, thus, imperative that these systems stay supported on the platform and are given adequate upgrades and improvements when necessary.
ily's Blog 