Understanding the Evolution of Android App Vulnerabilities

The Android ecosystem today is a growing universe of a few billion devices, hundreds of millions of users and millions of applications targeting a wide range of activities where sensitive information is collected and processed. Security of communication and privacy of data are thus of utmost importance in application development. Yet, regularly, there are reports of successful attacks targeting Android users. While some of those attacks exploit vulnerabilities in the Android OS, others directly concern application-level code written by a large pool of developers with varying experience. Recently, a number of studies have investigated this phenomenon, focusing however only on a specific vulnerability type appearing in apps, and based on only a snapshot of the situation at a given time. Thus, the community is still lacking comprehensive studies exploring how vulnerabilities have evolved over time, and how they evolve in a single app across developer updates. Our work fills this gap by leveraging a data stream of 5 million app packages to re-construct versioned lineages of Android apps and finally obtained 28,564 app lineages (i.e., successive releases of the same Android apps) with more than 10 app versions each, corresponding to a total of 465,037 apks. Based on these app lineages, we apply stateof-the-art vulnerability-finding tools and investigate systematically the reports produced by each tool. In particular, we study which types of vulnerabilities are found, how they are introduced in the app code, where they are located, and whether they foreshadow malware. We provide insights based on the quantitative data as reported by the tools, but we further discuss the potential false positives. Our findings and study artifacts constitute a tangible knowledge to the community. It could be leveraged by developers to focus verification tasks, and by researchers to drive vulnerability discovery and repair research efforts.

[1]  Jörg Schwenk,et al.  SoK: Lessons Learned from SSL/TLS Attacks , 2013, WISA.

[2]  David A. Wagner,et al.  Bifocals: Analyzing WebView Vulnerabilities in Android Applications , 2013, WISA.

[3]  Alessandra Gorla,et al.  Mining Apps for Abnormal Usage of Sensitive Data , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[4]  Roksana Boreli,et al.  On the effectiveness of dynamic taint analysis for protecting against private information leaks on Android-based devices , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).

[5]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[6]  Lei Xue,et al.  Adaptive Unpacking of Android Apps , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[7]  Tom Mens,et al.  Introduction and Roadmap: History and Challenges of Software Evolution , 2008, Software Evolution.

[8]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[9]  Yvo Desmedt,et al.  Man-in-the-Middle Attack , 2005, Encyclopedia of Cryptography and Security.

[10]  Kai Chen,et al.  From System Services Freezing to System Server Shutdown in Android: All You Need Is a Loop in an App , 2015, CCS.

[11]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[12]  Yuta Takata,et al.  Understanding the Origins of Mobile App Vulnerabilities: A Large-Scale Measurement Study of Free and Paid Apps , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[13]  Kim-Kwang Raymond Choo,et al.  A Generic Process to Identify Vulnerabilities and Design Weaknesses in iOS Healthcare Apps , 2015, 2015 48th Hawaii International Conference on System Sciences.

[14]  Petar Tsankov,et al.  Statistical Deobfuscation of Android Applications , 2016, CCS.

[15]  Yuanyuan Zhang,et al.  A Survey of App Store Analysis for Software Engineering , 2017, IEEE Transactions on Software Engineering.

[16]  Zhiqiang Lin,et al.  AUTHSCOPE: Towards Automatic Discovery of Vulnerable Authorizations in Online Services , 2017, CCS.

[17]  Miryung Kim,et al.  An Empirical Study of API Stability and Adoption in the Android Ecosystem , 2013, 2013 IEEE International Conference on Software Maintenance.

[18]  Alastair R. Beresford,et al.  Security Metrics for the Android Ecosystem , 2015, SPSM@CCS.

[19]  Muttukrishnan Rajarajan,et al.  Android Security: A Survey of Issues, Malware Penetration, and Defenses , 2015, IEEE Communications Surveys & Tutorials.

[20]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[21]  LeeSangho,et al.  Toward Engineering a Secure Android Ecosystem , 2016 .

[22]  Peng Liu,et al.  Call Me Back!: Attacks on System Server and System Apps in Android through Synchronous Callback , 2016, CCS.

[23]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[24]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[25]  Fang Yu,et al.  Patching vulnerabilities with sanitization synthesis , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[26]  Latifur Khan,et al.  SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps , 2014, NDSS.

[27]  Jacques Klein,et al.  AndroZoo: Collecting Millions of Android Apps for the Research Community , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[28]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[29]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[30]  Yu Le,et al.  VulHunter: Toward Discovering Vulnerabilities in Android Applications , 2015, IEEE Micro.

[31]  Gabriele Bavota,et al.  An Empirical Study on Android-Related Vulnerabilities , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[32]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[33]  Julian Schütte,et al.  ConDroid: Targeted Dynamic Analysis of Android Applications , 2015, 2015 IEEE 29th International Conference on Advanced Information Networking and Applications.

[34]  Christian Platzer,et al.  A View to a Kill: WebView Exploitation , 2013, LEET.

[35]  Yajin Zhou,et al.  Detecting Passive Content Leaks and Pollution in Android Applications , 2013, NDSS.

[36]  Sam Malek,et al.  A formal approach for detection of security flaws in the android permission system , 2017, Formal Aspects of Computing.

[37]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[38]  Alessandra Gorla,et al.  How Do Apps Evolve in Their Permission Requests? A Preliminary Study , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[39]  Mu Zhang,et al.  AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications , 2014, NDSS.

[40]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[41]  Eric Bodden,et al.  The Soot-Based Toolchain for Analyzing Android Apps , 2017, 2017 IEEE/ACM 4th International Conference on Mobile Software Engineering and Systems (MOBILESoft).

[42]  Jacques Klein,et al.  On the Lack of Consensus in Anti-Virus Decisions: Metrics and Insights on Building Ground Truths of Android Malware , 2016, DIMVA.

[43]  Chris F. Kemerer,et al.  On the uniformity of software evolution patterns , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[44]  Jeremy Clark,et al.  2013 IEEE Symposium on Security and Privacy SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements , 2022 .

[45]  Andrew Meneely,et al.  Do Bugs Foreshadow Vulnerabilities? A Study of the Chromium Project , 2015, 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories.

[46]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[47]  Saurabh Jain,et al.  Detection of Javascript Vulnerability At Client Agent , 2012 .

[48]  Lwin Khin Shar,et al.  Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[49]  Haipeng Cai,et al.  Understanding Android Application Programming and Security: A Dynamic Study , 2017, 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[50]  Y. Cifuentes,et al.  Analysis of Security Vulnerabilities for Mobile Health Applications , 2015 .

[51]  Michael W. Godfrey,et al.  Evolution in open source software: a case study , 2000, Proceedings 2000 International Conference on Software Maintenance.

[52]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[53]  Ayman I. Kayssi,et al.  Android SMS Malware: Vulnerability and Mitigation , 2013, 2013 27th International Conference on Advanced Information Networking and Applications Workshops.

[54]  Wei You,et al.  Reference Hijacking: Patching, Protecting and Analyzing on Unmodified and Non-rooted Android Devices , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[55]  Mike Bland Finding More Than One Worm in the Apple , 2014, ACM Queue.

[56]  Jacques Klein,et al.  MoonlightBox: Mining Android API Histories for Uncovering Release-Time Inconsistencies , 2018, 2018 IEEE 29th International Symposium on Software Reliability Engineering (ISSRE).

[57]  Jacques Klein,et al.  Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges and Solutions for Analyzing Android , 2014, IEEE Transactions on Software Engineering.

[58]  Matthew L. Dering,et al.  Composite Constant Propagation: Application to Android Inter-Component Communication Analysis , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[59]  Marco Torchiano,et al.  Mobile GUI Testing Fragility: A Study on Open-Source Android Applications , 2019, IEEE Transactions on Reliability.

[60]  Alireza Sadeghi,et al.  A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android Software , 2017, IEEE Transactions on Software Engineering.

[61]  Yajin Zhou,et al.  Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART , 2017, USENIX Security Symposium.

[62]  Michael Carl Tschantz,et al.  Better Malware Ground Truth: Techniques for Weighting Anti-Virus Vendor Labels , 2015, AISec@CCS.

[63]  Jacques Klein,et al.  Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting , 2017, IEEE Transactions on Information Forensics and Security.

[64]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[65]  Jacques Klein,et al.  Accessing Inaccessible Android APIs: An Empirical Study , 2016, 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[66]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[67]  Vivek Sarkar,et al.  Automatic detection of inter-application permission leaks in Android applications , 2013, IBM J. Res. Dev..

[68]  W. Cleveland,et al.  Locally Weighted Regression: An Approach to Regression Analysis by Local Fitting , 1988 .

[69]  Yingying Wang,et al.  Analyzing the analyzers: FlowDroid/IccTA, AmanDroid, and DroidSafe , 2018, ISSTA.

[70]  Wei Tu,et al.  Model checking an entire Linux distribution for security violations , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[71]  Erik Derr,et al.  Reliable Third-Party Library Detection in Android and its Security Applications , 2016, CCS.

[72]  Miryung Kim,et al.  An empirical investigation into the role of API-level refactorings during software evolution , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[73]  Jacques Klein,et al.  Euphony: Harmonious Unification of Cacophonous Anti-Virus Vendor Labels for Android Malware , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[74]  David A. Wagner,et al.  Reducing attack surfaces for intra-application communication in android , 2012, SPSM '12.

[75]  Ji Xiang,et al.  Towards Analyzing the Input Validation Vulnerabilities associated with Android System Services , 2015, ACSAC.

[76]  Xiapu Luo,et al.  DexHunter: Toward Extracting Hidden Code from Packed Android Applications , 2015, ESORICS.

[77]  M.M. Lehman,et al.  Programs, life cycles, and laws of software evolution , 1980, Proceedings of the IEEE.

[78]  Ivan Martinovic,et al.  To Update or Not to Update: Insights From a Two-Year Study of Android App Evolution , 2017, AsiaCCS.

[79]  Joydeep Mitra,et al.  Ghera: A Repository of Android App Vulnerability Benchmarks , 2017, PROMISE.

[80]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[81]  Pascal Bouvry,et al.  Management of an academic HPC cluster: The UL experience , 2014, 2014 International Conference on High Performance Computing & Simulation (HPCS).

[82]  Nicolas Christin,et al.  All Your Droid Are Belong to Us: A Survey of Current Android Attacks , 2011, WOOT.

[83]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[84]  Jacques Klein,et al.  An Investigation into the Use of Common Libraries in Android Apps , 2015, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[85]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[86]  Daoyuan Wu,et al.  Analyzing Android Browser Apps for file: // Vulnerabilities , 2014, ISC.

[87]  Jacques Traoré,et al.  Breaking into the KeyStore: A Practical Forgery Attack Against Android KeyStore , 2016, ESORICS.

[88]  Van-Hau Pham,et al.  eDSDroid: A Hybrid Approach for Information Leak Detection in Android , 2017, ICISA.

[89]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[90]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[91]  Marco Pistoia,et al.  Dynamic detection of inter-application communication vulnerabilities in Android , 2015, ISSTA.

[92]  Jacques Klein,et al.  Profiling Android Vulnerabilities , 2016, 2016 IEEE International Conference on Software Quality, Reliability and Security (QRS).

[93]  Sergio Yovine,et al.  CheckDroid: A Tool for Automated Detection of Bad Practices in Android Applications Using Taint Analysis , 2017, 2017 IEEE/ACM 4th International Conference on Mobile Software Engineering and Systems (MOBILESoft).

[94]  Shanqing Guo,et al.  Automatically Detecting SSL Error-Handling Vulnerabilities in Hybrid Mobile Web Apps , 2015, AsiaCCS.

[95]  Hamza Saleem,et al.  A Study of Static Analysis Tools to Detect Vulnerabilities of Branchless Banking Applications in Developing Countries , 2017, ICTD.

[96]  William Snavely,et al.  Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets , 2015 .

[97]  Adrian Taylor,et al.  The Lifetime of Android API Vulnerabilities: Case Study on the JavaScript-to-Java Interface , 2015, Security Protocols Workshop.

[98]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[99]  Geoffrey H. Kuenning,et al.  Improving the security of Android inter-component communication , 2013, 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013).

[100]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[101]  Ali Feizollah,et al.  The Evolution of Android Malware and Android Analysis Techniques , 2017, ACM Comput. Surv..

[102]  E. Pickering,et al.  THE HALL OF FAME. , 1915, Science.