wrote:
> Yes I agree, but my point is not to complete all the weaknesses of Android
> in terms of privacy. I have made with some colleagues a dependency-aware
> privacy management model for mobile applications. And I'd like to focus on
> those dependencies so I'd like to use that kind of tool to make some
> observations, not to build anything.
The problem is that those tools are not able to show you dependencies
that someone is going to any real effort to hide.
I spent some time looking at taintdroid earlier today, and it appears
it has no ability to handle native code. It has some pre-solved
concept of what the platform libs do in terms of taint propagation,
but can't monitor native code shipped in applications - which turns
out to be a not-very-complicated way to intercept and modify the VM's
communication with Binder.
Also, a run-time analysis tool can only show you dependencies that
have occurred during testing, not all that could in other conditions.
If something of potential concern doesn't happen until the app has
been installed for a while, or doesn't happen if the md5sum of some
system file is not as expected (remember taintdroid is a modified
android platform) it may never detect the possibility that it could
occur.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
No comments:
Post a Comment