Skip to content

1phan/PICOSCAN

BranchesTags

Repository files navigation

PICO Scan

PICO Scan is the Android static-analysis tool for the paper "Navigating the Privacy Compliance Maze: Understanding Risks with Privacy-Configurable Mobile SDKs." It analyzes APKs that embed privacy-configurable SDKs, or PICO SDKs, and reports risky app, SDK, and wrapper behavior around privacy APIs.

Requirements

  • JDK 11. The tool has been tested with OpenJDK 11.
  • The bundled Android platform jars under platforms/.
  • The Gradle wrapper in this repository.

On macOS, select JDK 11 with:

export JAVA_HOME=$(/usr/libexec/java_home -v 11)
export PATH="$JAVA_HOME/bin:$PATH"

Repository Layout

config/flowdroid/     FlowDroid callback, taint-wrapper, and source/sink specs
data/privacy-apis/    PICO SDK metadata and privacy API catalog
data/debug/           Saved analysis/debug traces from the paper artifact
docs/                 Paper and implementation documentation
platforms/            Android SDK platform jars used by Soot/FlowDroid
samples/apks/         Bundled APKs for reproduction and debugging
scripts/              Batch runner scripts
src/main/java/        PICO Scan code plus vendored FlowDroid/infoflow code
outputs/              Generated logs, source/sink files, and Jimple output

outputs/, build/, .gradle/, and sootOutput/ are generated and ignored. The bundled files in samples/apks/ and data/debug/ are intentionally kept in the release artifact.

Build

./gradlew clean build -x test

Run One APK

./gradlew run --args="samples/apks/com.motorola.ccc.notification.apk"

The CLI runs the full PICO analysis pipeline by default:

  1. Load the PICO SDK/privacy API metadata from data/privacy-apis/.
  2. Build and post-process the app call graph with Soot.
  3. Run the detector sequence: PrivacyLandscape, APIDisconnection, MisssingConfiguration, UnevenPrivacySupport, PrivacyAPITracking, HardCodeConfiguration, and final API-disconnection post-analysis.

Full analysis can take several minutes per APK. Large or heavily obfuscated APKs can take longer.

Run A Batch

Create a text file with one APK path per line, then run:

PICO_TIMEOUT=7200 scripts/run_tool.sh apk_paths.txt

PICO_TIMEOUT is in seconds. Batch logs are written to outputs/logs/.

Sample APKs

The release includes three APKs from the original artifact:

samples/apks/com.SNG.Pool.Billiard.apk
samples/apks/com.motorola.ccc.notification.apk
samples/apks/yifan.apk

For example:

./gradlew run --args="samples/apks/com.motorola.ccc.notification.apk"

Output

Detector findings are logged as JSON objects with a FlawType field. Common values include:

  • SDKInApp
  • PrivacyAPILocation
  • SDKConnectionRough
  • SDKConnectionStrict
  • MissingConfiguration
  • UnevenPrivacySupport
  • APIDisconnection
  • PotentialDiffusedDelegation
  • HardCodeConfiguration
  • ForDynamicAnalysisHookValue
  • CrossPrivacyAPIOverride

The analysis also logs timing markers such as #STEP# PrivacyLandscape and #FINISH# Analysis. These markers are useful for confirming that the full pipeline ran.

Debug Data

data/debug/ preserves saved traces that are useful for understanding and debugging the artifact:

data/debug/entryPoints.txt
data/debug/reachable_methods.txt
data/debug/applovin_gdpr_dataflow.txt

See docs/implementation.md for the design and code-level guide.

About

To scan privacy issues in PrIvacy COnfigurable SDKs

1phan.com/files/papers/Android_Privacy_Implementation_Problems.pdf

Topics

privacy static-analysis supply-chain-security apk-security

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages