Implementation and Evaluation of a Module for Type-based Information-Flow 
Analysis of Multi-threaded Android Programs


Nowadays, mobile devices have become more popular than ever before. This 
popularity is also the reason of constantly new security threats. In the 
case of Android, a device stores a lot of user specific information, e.g., 
contacts, calendar entries or the device's location. So, a major threat 
results from applications that expose private user data. Unfortunately, 
Android provides no functionalities for controlling or checking how 
private data is used by an application. The MAIS chair of TU Darmstadt 
addresses these shortcomings with a framework named A Certifying App 
Store. This framework is able to analyze if an application leaks data 
the user considers as private. Therefore, the application's bytecode is 
analyzed with regard to its information-flow. The certifying app store, 
however, focuses only on the security of single-threaded Android programs. 
In contrast, this thesis reveals that Android programs commonly use multi-
threading. Moreover, three small but realistic example applications are 
given to demonstrate how Android's multi-threading mechanism can introduce 
additional insecurities in programs. Motivated by these discoveries, the 
certifying app store is extended with a module for the security analysis 
of multi-threaded Android programs. Concluding, the implemented module 
is evaluated with the implemented example applications and secure versions 
of them. This evaluation shows that the implemented module is able to 
detect information leaks and to certify secure programs.