Secure Android Code Helper (Sach): A Tool For Assisting Secure Android Application Development

Mobile devices now store a lot of sensitive data. With many users adapting to the technical advancement of mobile devices, security of the user\u27s sensitive data becomes imperative. Security vulnerabilities in the mobile apps will lead to leakage of user’s sensitive data. The goal of this research is to propose a tool to help programmers create secure Android applications. The tool will warn developers about specific classes or methods that include security vulnerabilities such as data leakage and access control vulnerabilities. The tool analyzes Android source code using two approaches: 1) Parse the source code and XML to report vulnerabilities based on CERT secure coding rules for Android application development and 2) Run FlowDroid on source code, parse the output of FlowDroid and look for device ID, GPS location data being leaked to a log file or through implicit intent. The results from these approaches are combined into reports that inform developers of security vulnerabilities. The proof of concept of the tool has been implemented and tested. Future work includes completing implementation of the tool and running tests on a large number of source codes to evaluate its effectiveness

Secure Android Code Helper (Sach): A Tool For Assisting Secure Android Application Development

Mobile devices now store a lot of sensitive data. With many users adapting to the technical advancement of mobile devices, security of the user\u27s sensitive data becomes imperative. Security vulnerabilities in the mobile apps will lead to leakage of user’s sensitive data. The goal of this research is to propose a tool to help programmers create secure Android applications. The tool will warn developers about specific classes or methods that include security vulnerabilities such as data leakage and access control vulnerabilities. The tool analyzes Android source code using two approaches: 1) Parse the source code and XML to report vulnerabilities based on CERT secure coding rules for Android application development and 2) Run FlowDroid on source code, parse the output of FlowDroid and look for device ID, GPS location data being leaked to a log file or through implicit intent. The results from these approaches are combined into reports that inform developers of security vulnerabilities. The proof of concept of the tool has been implemented and tested. Future work includes completing implementation of the tool and running tests on a large number of source codes to evaluate its effectiveness

UNCOVERING AND MITIGATING UNSAFE PROGRAM INTEGRATIONS IN ANDROID

Android’s design philosophy encourages the integration of resources and functionalities from multiple parties, even with different levels of trust. Such program integrations, on one hand, connect every party in the Android ecosystem tightly on one single device. On the other hand, they can also pose severe security problems, if the security design of the underlying integration schemes is not well thought-out. This dissertation systematically evaluates the security design of three integration schemes on Android, including framework module, framework proxy and 3rd-party code embedding. With the security risks identified in each scheme, it concludes that program integrations on Android are unsafe. Furthermore, new frameworks have been designed and implemented to detect and mitigate the threats. The evaluation results on the prototypes have demonstrated their effectiveness

Security Code Smells in Android ICC

Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.Comment: Accepted on 28 Nov 2018, Empirical Software Engineering Journal (EMSE), 201