Abstract
Detecting privacy leakage in Android applications has gained much focus in recent years. Many solutions have been introduced to address this problem. Though solutions differ, they generally identify privacy leaks on merely the existence of sensitive data transmissions out of user's device. However, it is not the transmission of sensitive data that indicates a privacy leakage, but rather whether the transmission is within the application functionality and privacy policy limits. The discrepancy between what the application is claiming to do, and what it is actually doing is a more precise indicator of anomalous privacy exposure. We present AndroMalyZer, a framework that considers the expected privacy behavior of the application to identify anomalous privacy behavior. The framework extracts semantics of expected privacy behavior from the application's description and privacy policy to characterize potential privacy-related anomalies. This knowledge is then incorporated with reliable static analysis techniques to capture witnesses of anomalous privacy behavior. Our experiments proved AndroMalyZer feasibility and accuracy in inferring the expected privacy behaviors of an application and characterizing possible anomalous privacy behaviors accordingly.