Startseite > Fachgruppen > Softwaretechnik > Lehre > Vorlesungsarchiv > WS 2016/17 > Android Systems Security (ASYS) WS2016/2017

Android Systems Security (ASYS) WS2016/2017




We are sorry to inform you that this course had to be canceled for the term WS 2016/17. We hope to be able to offer it in the summer term 2017.






Course number and language


The teaching language will be English. Questions in German will be permitted.

Course material

The slides and exercise sheets will be uploaded before each lecture on the course's KoaLA page.

Time and place


Thu 16:00-18:00 at F1.110

Exercise classes:

Wed 11:00-12:00 at F2.211
Wed 12:00-13:00 at F2.211


The exam will be an oral exam.

Time and Place: tba

Registering and asking questions

To attend the course, you have to register in the PAUL system as a participant. To ask questions, please use the discussion forum in KOALA, so that others can benefit from the answers as well.


Android is the fastest growing mobile system in the world, with thousands of new applications submitted to the Google Playstore per day, many of which are written by novice programmers. These applications may contain serious security issues, which exposes millions of users to security threats. 

Apart from benign applications, malicious applications aim to steal private information or send expensive premium SMS messages to numbers owned by the malware authors.

This course shows existing security issues in applications in the wild and how to avoid them. Furthermore, we will teach techniques that malware uses to evade detection by both humans and malware-analysis tools.  The discussed analysis tools are based on recent research results.

This course consists of a theoretical lecture and a practical part, in which hands-on experience can be gained. Theoretical and practical parts are evenly distributed throughout the course. For the practical part, exercises will be provided and can usually be solved in groups. Detailed information on the exercise system will be announced in the first lecture.


The courses Software Analysis and/or Designing Code Analyses for Large-Scale Software Systems (DECA) are a recommended but not required prerequisite. A mature understanding of the Java programming languages and object-oriented programming will be helpful.


Topics covered include:

  1. Android system architecture
  2. Android specific call-graph construction
  3. Static information flow analysis
  4. Limitations of static and dynamic code analysis
  5. Extracting runtime values automatically
  6. Common security issues in benign applications
  7. Common techniques used in malware applications

Every topic has a corresponding practical part, as stated in the following:

  1. Create a small Android App
  2. Taking a look at an Android lifecycle model
  3. Creating a taint wrapper
  4. Hitting the limitations in practice
  5. Extracting runtime vlaues using Harvester and exploring its limitations
  6. Finding of security issues in a legitimate Android application
  7. Analysing a malware application

Learning outcomes

After having attended this course, students will have learned…

  • how the Android system works from a developer perspective
  • types of security flaws that developers of Android applications often induce, and how to avoid them
  • techniques that malicious applications use to increase the burden on sofware securtity analysts, and corresponding counter measures
  • how static information-flow detection works conceptually and how to leverage it for malware and vulnerability detection
  • how to evaluate and explain important limitations of code analysis
  • why runtime values are useful and how to extract them from Android applications
  • basics of the widely used static analysis framework Soot

Recommended reading material

We will not be able to provide a script for this course. We will provide powerpoint slides where available, but will develop some concepts also on the blackboard. Students are highly encouraged to take their own copies during their lecture.

A lot of the material is also covered in the following papers, however, those publications present the material in a more complex manner than in the lectures, which is why they should mostly be used for deeper personal study.

  • Patrick Lam, Eric Bodden, Ondrej Lhoták and Laurie Hendren. The Soot framework for Java program analysis: a retrospective. CETUS '11
  • Steven Arzt, Alexandre Bartel, Damien Octeau et. al. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps, PLDI ‘14
  • Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden. Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques. NDSS ‘16
  • W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth, 2010. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. OSDI ‘10
  • K. Coogan, S. Debray, T. Kaochar, and G. Townsend, 2009. Automatic Static Unpacking of Malware Binaries. WCRE ‘09
  • William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri, 2011 A Study of Android Application Security, SEC'11