A Simulation Environment for Security Evaluation of Android Applications

Activity: Examination typesExamination


Detection of unauthorized disclosure is still an open problem. Taint tracking is one effective approach to detect information disclosure attacks. In this Thesis, we give an overview of existing dynamic taint tracking systems for Android, discuss them an identify their shortcomings.
We will present a novel solution for the identified shortcomings of existing dynamic taint tracking systems. For that purpose, we have developed a simulation environment concept called Simulacron.
In Simulacron, we change the analysis paradigm of existing dynamic taint-tracking approaches and thereby improve the security level of applications for mobile devices. Instead of running the security analysis on the mobile device, we precede the security analysis in a simulation environment before the application is used on a real mobile device.
Since the evaluated security level of an application can change over time, we figured, that there is a need for inexpensive test reruns to check if the security level of the application has changed. Therefore, a test run in Simulacron can be recorded and replayed automatically as often as required. To maximize the usefulness of replayed test runs, Simulacron supports degrees of freedom to allow test reruns with changed configurations or software versions.
To determine a changed security level of an application, Simulacron supports the user with a graph representation of the differences from two test runs. The graph can be simplified by completely hiding certain analysis data categories.
The Simulacron concept also enables the user, to change the analysis abstraction layer. Existing dynamic taint tracking systems cannot be adopted to the users needs. For example, in the most common system TaintDroid, the user can only activate and deactivate the system. Other similar security systems offer either low-level analysis (e.g. based on manual source code analysis) or high-level analysis (automated tests at runtime).
In Simulacron, however, security analysis can be adjusted on different levels: First and foremost, Simulacron offers a possibility to adjust the security analysis with plugins. The possibilities range from largely automated simulation runs based on input generators and automatic security analysis to tests where the Simulacron user can check different application states by manually controlling the application and generating system events for the virtual device through Simulacron.
In the evaluation, we prove the feasibility of Simulacron based on over a hundred individual test applications from the DroidBench framework.
Period1 Jul 2022
ExamineeFabian Berner
Examination held at
  • Johannes Kepler University Linz JKU
Degree of RecognitionInternational


  • Android
  • Application Security Evaluation
  • Dynamic Taint Analysis
  • Information Disclosure
  • Simulation
  • Simulation Environment
  • Taint Tracking
  • TaintART
  • TaintDroid
  • TaintMan