AQUA: Android QUery Analyzer

Smart phone and tablet users typically store a variety of sensitive information on their devices, including contact information, photos, SMS messages, and custom data used by various applications. On Android devices, the data is stored in SQLite databases which applications access by constructing and executing queries, either directly or via Android content provider API calls. Before installing an application that uses a content provider, a user must grant permission for the application to read and/or write the associated data. Many users grant permission with little understanding of the risks. Even more savvy users cannot make well-informed decisions, as they are only given very coarse information about what data the application accesses. To provide users with more detailed information about how Android apps access and modify stored data, we have developed AQUA, the Android QUery Analyzer. AQUA analyzes application binary code, performing a lightweight static analysis to determine possible values of string variables that are incorporated into queries. AQUA reports on the content providers used and the database tables/attributes accessed and/or updated, allowing users to make more informed decisions about whether to grant permissions. This paper describes AQUA´s design and evaluates AQUA´s accuracy and performance by using it to analyze 105 popular apps downloaded from Google Play.