So {U} R CERER: Developer-Driven Security Testing Framework for Android Apps

Frequently advised secure development recommendations often fall short in practice for app developers. Tool-driven (e.g., using static analysis tools) approaches lack context and domain-specific requirements of an app being tested. App developers struggle to find an actionable and prioritized list of vulnerabilities from a laundry list of security warnings reported by static analysis tools. Process-driven (e.g., applying threat modeling methods) approaches require substantial resources (e.g., security testing team, budget) and security expertise, which small to medium-scale app dev teams could barely afford. To help app developers securing their apps, we propose SO{U}RCERER11Sourcerer is a fictional character depicted in the fantasy novel series ‘Discworld’ written by Terry Pratchett. https://discworld.fandom.com/wiki/Sourcerer, a guiding framework for Android app developers for security testing. So{u}rcererguides developers to identify domain-specific assets of an app, detect and prioritize vulnerabilities, and mitigate those vulnerabilities based on secure development guidelines. We evaluated So{u}rcererwith a case study on analyzing and testing 36 Android mobile money apps. We found that by following activities guided by So{ U} Rcerer,an app developer could get a concise and actionable list of vulnerabilities (24–61 % fewer security warnings produced by So{u}rcererthan a standalone static analyzer), directly affecting a mobile money app's critical assets, and devise a mitigation plan. Our findings from this preliminary study indicate a viable approach to Android app security testing without being overwhelmingly complex for app developers.

[1]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[2]  Wouter Joosen,et al.  Threat modeling: from infancy to maturity , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER).

[3]  Martin Gilje Jaatun,et al.  Covering Your Assets in Software Engineering , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[4]  Joydeep Mitra,et al.  Are free Android app security analysis tools effective in detecting known vulnerabilities? , 2018, Empirical Software Engineering.

[5]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[6]  Chong Feng,et al.  An Empirical Study of Investigating Mobile Applications Development Challenges , 2018, IEEE Access.

[7]  Michael Backes,et al.  A Stitch in Time: Supporting Android Developers in WritingSecure Code , 2017, CCS.

[8]  Luca P. Carloni,et al.  CRYLOGGER: Detecting Crypto Misuses Dynamically , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[9]  Norsaremah Salleh,et al.  Exploring Agile Mobile App Development in Industrial Contexts: A Qualitative Study , 2019 .

[10]  René Mayrhofer,et al.  The Android Platform Security Model , 2019, ACM Trans. Priv. Secur..

[11]  Guofei Gu,et al.  Iframes/Popups Are Dangerous in Mobile WebView: Studying and Mitigating Differential Context Vulnerabilities , 2019, USENIX Security Symposium.

[12]  Joydeep Mitra,et al.  Ghera: A Repository of Android App Vulnerability Benchmarks , 2017, PROMISE.

[13]  Emerson R. Murphy-Hill,et al.  Why Can't Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security , 2020, SOUPS @ USENIX Security Symposium.

[14]  Narseo Vallina-Rodriguez,et al.  50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System , 2019, USENIX Security Symposium.

[15]  Martin Gilje Jaatun,et al.  Challenges and Experiences with Applying Microsoft Threat Modeling in Agile Development Projects , 2018, 2018 25th Australasian Software Engineering Conference (ASWEC).

[16]  Paul Saitta,et al.  Trike v.1 Methodology Document [Draft] , 2005 .

[17]  Patrick Traynor,et al.  Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World , 2015, USENIX Security Symposium.

[18]  Patrick Traynor,et al.  *droid , 2016, ACM Comput. Surv..

[19]  Dirk van der Linden,et al.  Schrödinger's Security: Opening the Box on App Developers' Security Rationale , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).