Many false positives are generated when an Android application is detected by static taint analysis to discover potential privacy-leak bugs. For that, a context-sensitive, path-sensitive and field-sensitive semi-auto analysis method was proposed to verify if a potential bug is a true positive by only traversing a few executable paths. Firstly, a seed Trace covering both Source and Sink was obtained manually by running the instrumented application. Then, a Trace-based taint analysis method was used to verify if there was a taint propagating path in the Trace. If there was a taint propagating path, it meaned a real privacy leak bug existed. If not, the conditioin set and taint information of the Trace were further collected, and by combining the live-variable analysis and the program transformation approach based on conditional inversion, a constraint selection policy was designed to prune most executable paths irrelevant to taint propagation. Finally, remaining executable paths were traversed and corresponding Traces were analyzed to verify if the bug is a false positive. Seventy-five applications of DroidBench and ten real applications were tested by a prototype system implemented on FlowDroid. Results show that only 15.09% paths traversed averagely in each application, the false positive rate decreases 58.17% averagely. Experimental results demonstrate the analysis can effectively reduce the false positives generated by static taint analysis.

The injection vulnerabilities of Web applications such as SQL injections and Cross Site Scripting (XSS) are mainly caused by external inputs which are not verified, while taint analysis can effectively locate these vulnerabilities. A dynamic analysis approach was presented by tracking all potentially tainted Java objects, which is different from existing approaches that only track characters or string objects. The approach used the hash code to represent the tainted object, defined the method node and method coordinates to record the location of the taint propagation, supported tracing the taint propagation path. The approach put forward a specific taint propagation analysis for stream-family objects according to the decorative pattern of Java stream objects. A language specification was also given to model Java libraries and user-defined methods related to taint propagation. The approach designed and formalized the taint propagation semantics of the methods according to the classification by taint introduction, taint propagation, taint sanitization and taint usage. The prototype system which implemented on SOOT used static analysis to collect reachable methods and instruments Java byte-code of the real Web sites, and the experimental results demonstrated the effect on detecting injection vulnerabilities.