TaskFlow: LLMs for Android Taint Specification

Taint analysis is a widely used technique to analyze Android apps, enabling the tracking of data flow within an app. A key step consists in identifying which methods act as SOURCEs (i.e., where a data of interest originates) and SINKs (where data might be exposed). Existing approaches typically fall into two categories: ➀ Handcrafted lists, which suffer from incompleteness and quickly become outdated; and ➁ Automated techniques, which, although scalable, over-approximate and produce many false positives, primarily due to the challenge of defining what qualifies as a SOURCE . While identifying SINKs is generally more straightforward (as they correspond to explicit exposure points), defining a universal criterion for what constitutes a SOURCE remains inherently challenging. For example, isMicrophoneMute () may not typically be considered a SOURCE , yet in specific contexts it could represent a significant privacy concern. This context dependence highlights the limitations of static, generic lists of SOURCE methods. We present TaskFlow , a novel LLM-driven framework for generating task-specific lists of SOURCE (or SINK ) methods aligned with specific analysis goals. By reasoning over API semantics and contextual usage, TaskFlow ➀ mitigates the noise commonly introduced by overly broad lists, leading to more precise taint analyses; and ➁ addresses the incompleteness of manual approaches.