Data flow analysis is widely used to detect security vulnerabilities and privacy leaks. As we show, the traditional model that tracks flows between API calls is insufficient. Calls to write methods on Java stream objects, for example, are only relevant in case the stream is derived from a network connection or publicly readable file. Writing to an in-memory byte stream, on the other hand, is irrelevant in a security analysis. In this paper, we introduce the notion of context-sensitive sinks. A method is only a sink, e.g., when the stream is obtained by calling another API method. To evaluate such conditions, a secondary flow to the sink is required. We propose a demanddriven backwards data flow algorithm that computes secondary flows in a scalable and precise manner. We implemented our approach River on top of FlowDroid. Our empirical evaluation on real-world apps from the Google Play Store shows that River can distinguish between different usages of streams, e.g., network connections, files, etc. and by doing so, reduce the number of false positives by 98% in comparison to FlowDroid while retaining precision and recall. Further, River only induces moderate overhead in computation time and memory.
Miltenberger et al. (Fri,) studied this question.