Erik Derr

Erik Derr

Research Associate @ University of Luxembourg



I'm a Research Associate at SnT, University of Luxembourg and a member of the SVV lab.
I obtained a Ph.D. from CISPA / Saarland University where I was part of the IS&C Group led by Michael Backes.

My research interests particularly focus, but are not limited to, code analysis, mobile security (in particular on Android), and security/privacy on IoT devices.


R-Droid constitutes a novel slice-optimization approach to leverage static analysis of Android applications. Building on top of precise application lifecycle models, we employ a slicing-based analysis to generate data-dependent statements for arbitrary points of interest in an application. As a result of our optimization, the produced slices are, on average, 49% smaller than standard slices, thus facilitating code understanding and result validation by security analysts. Moreover, by re-targeting strings, our approach enables automatic assessments for a larger number of use-cases than prior work.

On a large-scale data-leak analysis on a set of 22,700 Android apps from Google Play, R-Droid managed to identify a significantly larger set of potential privacy-violating information flows than previous work, including 2,157 sensitive flows of password-flagged UI widgets in 256 distinct apps.

In contrast to the Android application layer, Android's application framework's internals and their influence on the platform security and user privacy are still largely a black box for us. In this paper, we establish a static runtime model of the application framework in order to study its internals and provide the first high-level classification of the framework's protected resources. We thereby uncover design patterns that differ highly from the runtime model at the application layer.

We demonstrate the benefits of our insights for security-focused analysis of the framework by re-visiting the important use-case of mapping Android permissions to framework/SDK API methods. We, in particular, present a novel mapping based on our findings that significantly· improves on prior results in this area that were established based on insufficient knowledge about the framework's internals. Moreover, we introduce the concept of permission locality to show that although framework services follow the principle of separation of duty, the accompanying permission checks to guard sensitive operations violate it.

Find permission mappings and other data on

Third-party libraries on Android have been shown to be security and privacy hazards by adding security vulnerabilities to their host apps or by misusing inherited access rights. Correctly attributing improper app behavior either to app or library developer code or isolating library code from their host apps would be highly desirable to mitigate these problems, but is impeded by the absence of a third-party library detection that is effective and reliable in spite of obfuscated code.

We propose LibScout, a library detection technique that is resilient against common code obfuscations and that is capable of pinpointing the exact library version used in apps. Libraries are detected with profiles from a comprehensive library database that we generated from the original library SDKs. We apply our technique to the top apps on Google Play and their complete histories to conduct a longitudinal study of library usage and evolution in apps.

Find more information and the source-code on


  • Address

    Software Verification and Validation Lab
    SnT, University of Luxembourg
    JFK Building, E04-421
    29, avenue JF Kennedy
    L-1855 Luxembourg

  • Email

  • PGP

    PGP Key

  • Phone

    (+352) 46 66 44 5825

  • Twitter


  • GitHub


Short Text, Large Effect: Measuring the Impact of User Reviews on Android App Security & Privacy
Duc Cuong Nguyen,  Erik Derr,  Michael BackesSven Bugiel
In 40th IEEE Symposium on Security and Privacy (S&P '19) [to appear],
IEEE. 2018. [Acceptance rate: 12.4% (84/679)]

[Bibtex] [PDF]

The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators
Marten Oltrogge,  Erik Derr,  Christian Stransky,  Yasemin Acar,  Sascha Fahl,  Christian Rossow,  Giancarlo Pellegrino,  Sven BugielMichael Backes
In 39th IEEE Symposium on Security and Privacy (S&P '18),
IEEE. 2018. [Acceptance rate: 11.5% (63/549)]

[Bibtex] [PDF] [Blog]

The Impact of Third-party Code on Android App Security
Erik Derr
Usenix Enigma 2018,
USENIX. 2018.

[Bibtex] [Slides] [Talk]

Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android
Erik Derr*,  Sven Bugiel,  Sascha Fahl,  Yasemin Acar,  Michael Backes
In 24th ACM Conference on Computer and Communications Security (CCS '17),
ACM. 2017. [Acceptance rate: 18% (151/836)]

[Bibtex] [PDF] (*lead author)

Reliable Third-Party Library Detection in Android and its Security Applications
Michael BackesSven Bugiel,  Erik Derr*.
In 23rd ACM Conference on Computer and Communications Security (CCS '16),
ACM. 2016. [Acceptance rate: 16.5% (137/831)]

[Bibtex] [PDF] (*lead author)

On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Michael BackesSven Bugiel,  Erik Derr*,  Patrick McDanielDamien OcteauSebastian Weisgerber.
In 26th USENIX Security Symposium (SEC '16),
USENIX. 2016. [Acceptance rate: 15.6% (72/463)]

[Bibtex] [PDF] (*lead author)

R-Droid: Leveraging Android App Analysis with Static Slice Optimization
Michael BackesSven Bugiel,  Erik Derr*,  Sebastian GerlingChristian Hammer.
In 11th ACM Asia Conference on Computer and Communications Security (ASIACCS '16), ACM. 2016.

[Bibtex] [PDF] (*lead author)

Taking Android App Vetting to the Next Level with Path-sensitive Value Analysis
Michael BackesSven Bugiel,  Erik Derr,  Christian Hammer.
Technical report A/02/2014, Saarland University, April, 2014.

[Bibtex] [PDF]

Advances in Mobile Security
Sven Bugiel,  Erik Derr,  Sebastian GerlingChristian Hammer.
Lauster, Michael (Ed.): 8th Future Security - Security Research Conference, pp. 286–295, Fraunhofer Verlag, 2013 .



Program Committee

  • IEEE Workshop on Artificial Intelligence for Mobile (AI4Mobile)    2019

(External) reviewer

  • Computer and Communication Security (CCS)    2015
  • European Symposium on Research in Computer Security (ESORICS)    2017, 2015
  • IEEE European Symposium on Security and Privacy (Euro S&P)    2017
  • IEEE Symposium on Security and Privacy (S&P)    2019, 2017
  • International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp)    2016
  • USENIX Security (SEC)   2017




  • 2018 - current
    University of Luxembourg (SnT) - Research Associate

  • 2012 - 2018
    CISPA, Saarland University - Ph.D. (with distinction)

    Thesis: Understanding and Assessing Security on Android via Static Code Analysis
    Supervisor: Michael Backes

  • 2010 - 2012
    Saarland University - M.Sc. (honor's degree)

    Master's Thesis: Verifying the Internet Access of Android Applications

  • 2005 - 2010
    Saarland University - B.Sc.

    Bachelor's Thesis: Improving token-based HTTP anomaly detection in web applications


  • 2012 - 2018
    Software Engineer at Backes SRT, formerly X-pire!, Saarbrücken

  • 2007 - 2011
    Software Engineer at
    Mara Systems, Saarbrücken

  • 2006 - 2007
    Software Engineer at T-Systems Enterprise Services, Saarbrücken

  • 2005 - 2006
    Software Engineer at
    ILC Prostep, Bexbach