Profiling Android Vulnerabilities

In widely used mobile operating systems a single vulnerability can threaten the security and privacy of billions of users. Therefore, identifying vulnerabilities and fortifying software systems requires constant attention and effort. However, this is costly and it is almost impossible to analyse an entire code base. Thus, it is necessary to prioritize efforts towards the most likely vulnerable areas. A first step in identifying these areas is to profile vulnerabilities based on previously reported ones. To investigate this, we performed a manual analysis of Android vulnerabilities, as reported in the National Vulnerability Database for the period 2008 to 2014. In our analysis, we identified a comprehensive list of issues leading to Android vulnerabilities. We also point out characteristics of the locations where vulnerabilities reside, the complexity of these locations and the complexity to fix the vulnerabilities. To enable future research, we make available all of our data.

[1]  Jeffrey C. Carver,et al.  Identifying the characteristics of vulnerable code changes: an empirical study , 2014, SIGSOFT FSE.

[2]  Cem Kaner,et al.  Bug Taxonomies: Use Them to Generate Better Tests 1 , 2003 .

[3]  James Walden,et al.  Security of open source web applications , 2009, ESEM 2009.

[4]  Yuval Elovici,et al.  Google Android: A Comprehensive Security Assessment , 2010, IEEE Security & Privacy.

[5]  Wouter Joosen,et al.  Predicting Vulnerable Software Components via Text Mining , 2014, IEEE Transactions on Software Engineering.

[6]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[7]  Samuel Kounev,et al.  Experience Report: An Analysis of Hypercall Handler Vulnerabilities , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[8]  Katerina Goseva-Popstojanova,et al.  Exploring fault types, detection activities, and failure severity in an evolving safety-critical software system , 2014, Software Quality Journal.

[9]  Marco Vieira,et al.  Analysis of Field Data on Web Security Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[10]  Laurie A. Williams,et al.  Predicting failures with developer networks and social network analysis , 2008, SIGSOFT '08/FSE-16.

[11]  Laurie A. Williams,et al.  Socio-technical developer networks: should we trust our measurements? , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[12]  Mohammad Zulkernine,et al.  Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities? , 2010, SAC '10.

[13]  Riccardo Scandariato,et al.  Predicting Vulnerable Components: Software Metrics vs Text Mining , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[14]  Peng Wang,et al.  AsDroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction , 2014, ICSE.

[15]  Yuanyuan Zhou,et al.  Bug characteristics in open source software , 2013, Empirical Software Engineering.

[16]  Laurie A. Williams,et al.  Challenges with applying vulnerability prediction models , 2015, HotSoS.

[17]  Michael Gegick,et al.  Predicting Attack-prone Components , 2009, 2009 International Conference on Software Testing Verification and Validation.

[18]  Anas N. Al-Rabadi,et al.  A comparison of modified reconstructability analysis and Ashenhurst‐Curtis decomposition of Boolean functions , 2004 .

[19]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[20]  Andreas Zeller,et al.  Predicting vulnerable software components , 2007, CCS '07.

[21]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[22]  Abhik Roychoudhury,et al.  CoREBench: studying complexity of regression errors , 2014, ISSTA 2014.

[23]  Laurie A. Williams,et al.  Strengthening the empirical analysis of the relationship between Linus' Law and software security , 2010, ESEM '10.

[24]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[25]  Bruno C. d. S. Oliveira,et al.  Regression tests to expose change interaction errors , 2013, ESEC/FSE 2013.

[26]  Michael Gegick,et al.  Prioritizing software security fortification throughcode-level metrics , 2008, QoP '08.

[27]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.