Applications installed on user devices such as, e.g., mobile devices, smart phones, and the like, have access to many different categories of private information that reside on the user devices. Such private information includes, but is not limited to, the unique device ID, current geographical location, calendar events, contacts and other data. Furthermore, the applications may receive as an input security-sensitive information, including user IDs and passwords, as well as credit-card, social-security and bank-account numbers. Guaranteeing that this private data is not exposed to unintended observers is an essential security requirement. Application providers are encouraged to test their applications thoroughly and to use static and dynamic program analysis tools in order to discover leakage of private data.
Unfortunately, using such tools effectively may be challenging when dealing with issues related to confidentiality. For example, in many applications, only a small portion of the private data on the user device is accessed using well-known standard libraries. Using an out-of-the-box configuration of a program analysis tool may indeed help in detecting leakage of such data, however, commercial and enterprise applications often utilize large amounts of application-specific private data, such as user ID and passwords, health records, credit-card numbers, bank-account numbers and social-security numbers.
The default configuration of a program-analysis tool is likely to miss the unauthorized release of custom sensitive data. On the other hand, configuring these tools to detect application specific data leakage is a non-trivial task, which may require accessing the source code of the application to infer the specific program points through which private data enters the application. In order to perform this advanced configuration, an entity verifying the security of the application not only has to be versed in application security, but also be intimately familiar with the application's source code and functionality.