The increasing popularity of smartphones has made them a target for malware. Smartphone application markets like Google Play and App Store employ protection mechanisms based on permissions, which have shown limited success due to three major challenges: (1) permissions show only what sensitive user information is used by the applications; (2) permissions used in benign and malicious behaviors are often the same; (3) permissions do not protect all types of sensitive user information, such as sensitive information entered through graphical user interfaces (GUI). In this talk, I will present my work on developing automated security analysis techniques to address these three major challenges. My techniques automatically analyze application behaviors from various types of artifacts, including app code, app descriptions, API documents, app meta-data, and graphical user interfaces (GUI). In particular, I will discuss information flow classification and WHYPER, two techniques that explain How and Why sensitive user information is used by the applications to help users make better decisions in permission granting. In addition, I will present AppContext, a program analysis technique that analyzes the context in which a security-sensitive behavior occurs to determine whether the behavior is malicious, and SUPOR, a static analysis technique that detects sensitive information entered by users through GUIs.