1,075 research outputs found
AndroShield:automated Android applications vulnerability detection, a hybrid static and dynamic analysis approach
The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution
Do Android Taint Analysis Tools Keep Their Promises?
In recent years, researchers have developed a number of tools to conduct
taint analysis of Android applications. While all the respective papers aim at
providing a thorough empirical evaluation, comparability is hindered by varying
or unclear evaluation targets. Sometimes, the apps used for evaluation are not
precisely described. In other cases, authors use an established benchmark but
cover it only partially. In yet other cases, the evaluations differ in terms of
the data leaks searched for, or lack a ground truth to compare against. All
those limitations make it impossible to truly compare the tools based on those
published evaluations.
We thus present ReproDroid, a framework allowing the accurate comparison of
Android taint analysis tools. ReproDroid supports researchers in inferring the
ground truth for data leaks in apps, in automatically applying tools to
benchmarks, and in evaluating the obtained results. We use ReproDroid to
comparatively evaluate on equal grounds the six prominent taint analysis tools
Amandroid, DIALDroid, DidFail, DroidSafe, FlowDroid and IccTA. The results are
largely positive although four tools violate some promises concerning features
and accuracy. Finally, we contribute to the area of unbiased benchmarking with
a new and improved version of the open test suite DroidBench
- …