We're using static analysis. We download the apk files from Google Play using the unofficial Android API (not from your phone) and decompile them using ded. We analyze this code with the help of Fortify, which we were generously allowed to use for free by HP, as well as with some scripts of our own.
Some further technical details can be seen here.What are some of the limitations of this kind of work?
Since we are using static analysis, there is no guarantee that any of the code we detect is ever actually used. In layman's terms, we are looking at the set of instructions that a program uses to decide what to do, not the program's actual behavior as it runs. So it is possible that somebody wrote something that can never actually get run. We've noticed this in some cases, especially when programmers are using a lot of someone else's code (libraries, app-building tools, etc.)
We also are not looking at native code. Some preliminary tests on known malware shows that as a result, some malware (viruses, trojans, etc) are able to hide some or all of their behavior - surprisingly, though, in most cases so far we seem to do pretty well.
There are a few things of interest we have not implemented yet, such as receiving certain intents.Will this app come to the iPhone?
We don't currently have any plans to release it to the iPhone at this time; some fairly substantial changes would need to be made (as our analysis is tailored to a specific API). We may open-source our work some time in the future, though, at which time anyone would be welcome to port it to the iPhone. (There is one proprietary component, though.)Will you create a web interface so that we can look up apps without having to install them?
Yes, we have finally done this! You can se the interface here.
We have no commercial interests in this app, and use the Internet permission only to deliver summaries to your phone and allow you to submit feedback. We track individual feedback submissions via a large, random number generated on your phone (which is not derived from any personally identifiable information in any way). You can opt out of this by unchecking the checkbox on the feedback page, or alternately by not submitting feedback.
We are researchers at the University of Michigan, in the RobustNet research group. We are interested in security, performance and network characterization in mobile devices. Our other apps include MobiPerf, a tool to characterize your network, and PowerTutor, a tool to characterize the power consumption of system components and different applications.
You can contact us at appprofiles at umich dot edu. Feel free to send us any of your questions or suggestions.