AndroShield: Automated Android Applications Vulnerability Detection, a Hybrid Static and Dynamic Analysis Approach

The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution.

[1]  Laurie J. Hendren,et al.  Practical virtual method call resolution for Java , 2000, OOPSLA '00.

[2]  Rupak Majumdar,et al.  Hybrid Concolic Testing , 2007, 29th International Conference on Software Engineering (ICSE'07).

[3]  Jacques Klein,et al.  DroidRA: taming reflection to support whole-program analysis of Android apps , 2016, ISSTA.

[4]  Heiko Mantel,et al.  RIFL 1.1: A Common Specification Language for Information-Flow Requirements , 2017 .

[5]  Alessio Merlo,et al.  RiskInDroid: Machine Learning-Based Risk Analysis on Android , 2017, SEC.

[6]  Eric Bodden,et al.  A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks , 2014, NDSS.

[7]  Rajaram Regupathy,et al.  Android Debug Bridge (ADB) , 2014 .

[8]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[9]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[10]  David Grove,et al.  Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis , 1995, ECOOP.

[11]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[12]  Wenchao Huang,et al.  Divide and Conquer: Recovering Contextual Information of Behaviors in Android Apps Around Limited-Quantity Audit Logs , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion).

[13]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[14]  Jacques Klein,et al.  Static analysis of android apps: A systematic literature review , 2017, Inf. Softw. Technol..

[15]  Babak Sadeghiyan,et al.  ConsiDroid: A Concolic-based Tool for Detecting SQL Injection Vulnerability in Android Apps , 2018, ArXiv.

[16]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[17]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[18]  Sam Malek,et al.  A whitebox approach for automated security testing of Android applications on the cloud , 2012, 2012 7th International Workshop on Automation of Software Test (AST).

[19]  David F. Bacon,et al.  Fast static analysis of C++ virtual function calls , 1996, OOPSLA '96.

[20]  Hrushikesha Mohanty,et al.  Trends in Software Testing , 2017 .

[21]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[22]  Phil McMinn,et al.  Search-Based Software Testing: Past, Present and Future , 2011, 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops.

[23]  Arun Lakhotia,et al.  DroidLegacy: Automated Familial Classification of Android Malware , 2014, PPREW'14.

[24]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[25]  Sencun Zhu,et al.  Droid-AntiRM: Taming Control Flow Anti-analysis to Support Automated Dynamic Analysis of Android Malware , 2017, ACSAC.