Vulnerability detection in recent Android apps: An empirical study

With the continuous and rapid increase in quantity and diversity of Smartphone application usage, the storage of sensitive personal and even financial information of the users is also being augmented. It creates motivation for developers of malicious applications to put more effort on discovering ways to identify and exploit the vulnerabilities of utility applications and grab the sensitive information of the users. Android applications, being more open in nature and popular among armature individual developers, fall victim to the malwares quite frequently. Recently, the Govt. of Bangladesh has taken initiative to encourage and patronize young developers to develop utility apps for free public use in the context of Bangladesh (app source: EATL1). While the motivation is great, i.e., benefiting common people, the way these are developed and released have reasons to suspect that recent vulnerabilities may exist due. This may harm the users and ruin the good initiative. In this paper, we have carried out an empirical study on a selected set of these apps to detect eight common vulnerabilities. We have carefully chosen three quality tools that cover testing of all these vulnerabilities. We reported the detected results showing vulnerabilities in the tested apps, presented statistics of the vulnerabilities and discussed countermeasures. We believe this study would benefit the developers and indirectly the potential users of these applications.

[1]  Jacques Klein,et al.  Large-scale machine learning-based malware detection: confronting the "10-fold cross validation" scheme with reality , 2014, CODASPY '14.

[2]  C. Kruegel,et al.  A Large-Scale Study of Mobile Web App Security , 2015 .

[3]  Kai Wang,et al.  IVDroid: Static Detection for Input Validation Vulnerability in Android Inter-component Communication , 2015, ISPEC.

[4]  Moon-Sung Hwang,et al.  A Single-Process Design for Developing Automation Tools for Inspecting the Vulnerabilities of Android Applications , 2015 .

[5]  Bradley R. Schmerl,et al.  Raindroid: a system for run-time mitigation of Android intent vulnerabilities [poster] , 2016, HotSoS.

[6]  Eric Medvet,et al.  Detecting Android malware using sequences of system calls , 2015, DeMobile@SIGSOFT FSE.

[7]  A. B. Bhavani Cross-site Scripting Attacks on Android WebView , 2013, ArXiv.

[8]  Anitha Ramalingam,et al.  Malware Detection in Android files based on Multiple levels of Learning and Diverse Data Sources , 2015, WCI '15.

[9]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[10]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[11]  Vijay Laxmi,et al.  DRACO: DRoid analyst combo an android malware analysis framework , 2015, SIN.

[12]  Shao Shuai,et al.  Android application security vulnerability analysis framework based on feature matching , 2016 .

[13]  Rachmawan Ardiansa Developing secure android application with encrypted database file using sqlcipher , 2014 .

[14]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[15]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[16]  Patrick Traynor,et al.  Detecting SMS Spam in the Age of Legitimate Bulk Messaging , 2016, WISEC.

[17]  Heng Yin,et al.  Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation , 2014, CCS.

[18]  Muttukrishnan Rajarajan,et al.  Android Security: A Survey of Issues, Malware Penetration, and Defenses , 2015, IEEE Communications Surveys & Tutorials.

[19]  Hongliang Liang,et al.  Survey on Privacy Protection of Android Devices , 2015, 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing.

[20]  K. Praveen,et al.  A Low Overhead Prevention of Android WebView Abuse Attacks , 2015, SSCC.

[21]  Eric Bodden,et al.  A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks , 2014, NDSS.

[22]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[23]  Nicolas Christin,et al.  All Your Droid Are Belong to Us: A Survey of Current Android Attacks , 2011, WOOT.

[24]  Konrad Rieck,et al.  Structural detection of android malware using embedded call graphs , 2013, AISec.

[25]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[26]  Jacques Klein,et al.  Automatically Exploiting Potential Component Leaks in Android Applications , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[27]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[28]  Naren Ramakrishnan,et al.  Detection of stealthy malware activities with traffic causality and scalable triggering relation discovery , 2014, AsiaCCS.