Android source code vulnerability detection: a systematic literature review

The use of mobile devices is rising daily in this technological era. A continuous and increasing number of mobile applications are constantly offered on mobile marketplaces to fulfil the needs of smartphone users. Many Android applications do not address the security aspects appropriately. This is often due to a lack of automated mechanisms to identify, test, and fix source code vulnerabilities at the early stages of design and development. Therefore, the need to fix such issues at the initial stages rather than providing updates and patches to the published applications is widely recognized. Researchers have proposed several methods to improve the security of applications by detecting source code vulnerabilities and malicious codes. This Systematic Literature Review (SLR) focuses on Android application analysis and source code vulnerability detection methods and tools by critically evaluating 118 carefully selected technical studies published between 2016 and 2022. It highlights the advantages, disadvantages, applicability of the proposed techniques and potential improvements of those studies. Both Machine Learning (ML) based methods and conventional methods related to vulnerability detection are discussed while focusing more on ML-based methods since many recent studies conducted experiments with ML. Therefore, this paper aims to enable researchers to acquire in-depth knowledge in secure mobile application development while minimizing the vulnerabilities by applying ML methods. Furthermore, researchers can use the discussions and findings of this SLR to identify potential future research and development directions

Towards Automated Android App Collusion Detection

Android OS supports multiple communication methods between apps. This opens the possibility to carry out threats in a collaborative fashion, c.f. the Soundcomber example from 2011. In this paper we provide a concise definition of collusion and report on a number of automated detection approaches, developed in co-operation with Intel Security

FedREVAN: real-time detection of vulnerable Android source code through federated neural network with XAI

Adhering to security best practices during the development of Android applications is of paramount importance due to the high prevalence of apps released without proper security measures. While automated tools can be employed to address vulnerabilities during development, they may prove to be inadequate in terms of detecting vulnerabilities. To address this issue, a federated neural network with XAI, named FedREVAN, has been proposed in this study. The initial model was trained on the LVDAndro dataset and can predict potential vulnerabilities with a 96% accuracy and 0.96 F1-Score for binary classification. Moreover, in case the code is vulnerable, FedREVAN can identify the associated CWE category with 93% accuracy and 0.91 F1-Score for multi-class classification. The initial neural network model was released in a federated environment to enable collaborative training and enhancement with other clients. Experimental results demonstrate that the federated neural network model improves accuracy by 2% and F1-Score by 0.04 in multi-class classification. XAI is utilised to present the vulnerability detection results to developers with prediction probabilities for each word in the code. The FedREVAN model has been integrated into an API and further incorporated into Android Studio to provide real-time vulnerability detection. The FedREVAN model is highly efficient, providing prediction probabilities for one code line in an average of 300 milliseconds

Android code vulnerabilities early detection using AI-powered ACVED plugin

During Android application development, ensuring adequate security is a crucial and intricate aspect. However, many applications are released without adequate security measures due to the lack of vulnerability identification and code verification at the initial development stages. To address this issue, machine learning models can be employed to automate the process of detecting vulnerabilities in the code. However, such models are inadequate for real-time Android code vulnerability mitigation. In this research, an open-source AI-powered plugin named Android Code Vulnerabilities Early Detection (ACVED) was developed using the LVDAndro dataset. Utilising Android source code vulnerabilities, the dataset is categorised based on Common Weakness Enumeration (CWE). The ACVED plugin, featuring an ensemble learning model, is implemented in the backend to accurately and efficiently detect both source code vulnerabilities and their respective CWE categories, with a 95% accuracy rate. The model also leverages explainable AI techniques to provide source code vulnerability prediction probabilities for each word. When integrated with Android Studio, the ACVED plugin can provide developers with the vulnerability status of their current source code line in real-time, assisting them in mitigating vulnerabilities. The plugin, model, and scripts can be found on GitHub, and it receives regular updates with new training data from the LVDAndro dataset, enabling the detection of novel vulnerabilities recently added to CWE

Labelled vulnerability dataset on Android source code (LVDAndro) to develop AI-based code vulnerability detection models

Ensuring the security of Android applications is a vital and intricate aspect requiring careful consideration during development. Unfortunately, many apps are published without sufficient security measures, possibly due to a lack of early vulnerability identification. One possible solution is to employ machine learning models trained on a labelled dataset, but currently, available datasets are suboptimal. This study creates a sequence of datasets of Android source code vulnerabilities, named LVDAndro, labelled based on Common Weakness Enumeration (CWE). Three datasets were generated through app scanning by altering the number of apps and their sources. The LVDAndro, includes over 2,000,000 unique code samples, obtained by scanning over 15,000 apps. The AutoML technique was then applied to each dataset, as a proof of concept to evaluate the applicability of LVDAndro, in detecting vulnerable source code using machine learning. The AutoML model, trained on the dataset, achieved accuracy of 94% and F1-Score of 0.94 in binary classification, and accuracy of 94% and F1-Score of 0.93 in CWE-based multi-class classification. The LVDAndro dataset is publicly available, and continues to expand as more apps are scanned and added to the dataset regularly. The LVDAndro GitHub Repository also includes the source code for dataset generation, and model training

Low-Temperature Atomic Layer Deposition of Copper Films Using Borane Dimethylamine as the Reducing Co-reagent

The atomic layer deposition (ALD) of Cu metal films was carried out by a two-step process with Cu­(OCHMeCH₂NMe₂)₂ and BH₃(NHMe₂) on Ru substrates and by a three-step process employing Cu­(OCHMeCH₂NMe₂)₂, formic acid, and BH₃(NHMe₂) on Pd and Pt substrates. The two-step process demonstrated self-limited ALD growth at 150 °C with Cu­(OCHMeCH₂NMe₂)₂ and BH₃(NHMe₂) pulse lengths of ≥3.0 and ≥1.0 s, respectively. An ALD window was observed between 130 and 160 °C, with a growth rate of about 0.13 Å/cycle. Atomic force microscopy (AFM) and scanning electron microscopy (SEM) revealed rough Cu films that likely originate from the Cu nanoparticle seed layer. The Cu films exhibited poor electrical conductivity because of their nanoparticulate natures. The three-step process showed self-limited ALD growth on Pd and Pt at 150 °C with Cu­(OCHMeCH₂NMe₂)₂, formic acid, and BH₃(NHMe₂) pulse lengths of ≥3.0, ≥ 0.3, and ≥1.0 s, respectively. ALD windows were observed between 135 and 165 °C on both Pd and Pt, with growth rates of 0.20 Å/cycle on both substrates. Plots of film thickness versus number of cycles showed linear growth behavior on Pd with a growth rate of 0.20 Å/cycle up to 2000 cycles. By contrast, a similar plot for growth on Pt revealed nonlinear growth behavior, with a growth rate of about 0.4 Å/cycle up to 500 cycles, and then a growth rate of about 0.03 Å/cycle between 500 and 2000 cycles. The large difference in growth behavior between Pd and Pt substrates is proposed to occur by formation of a Cu/Pd alloy film and continuous catalytic decomposition of the BH₃(NHMe₂) by the surface Pd sites. By contrast, there is much less surface Pt in the growing Cu film, and catalytic decomposition of BH₃(NHMe₂) by the diminishing surface Pt as the Cu film grows leads to a decreased growth rate beyond 500 cycles. X-ray photoelectron spectroscopy reveals the formation of high purity Cu metal for all depositions, with low levels of C, N, O, and B. The Cu films on Pd and Pt showed smooth, continuous films at all thicknesses and had low electrical resistivities

Volatile and Thermally Stable Mid to Late Transition Metal Complexes Containing α‑Imino Alkoxide Ligands, a New Strongly Reducing Coreagent, and Thermal Atomic Layer Deposition of Ni, Co, Fe, and Cr Metal Films

Treatment of MCl₂ (M = Cu, Ni, Co, Fe, Mn, Cr) with 2 equiv of α-imino alkoxide salts K­(RR′COCNtBu) (R = Me, tBu; R′ = iPr, tBu) afforded M­(RR′COCNtBu)₂ or [Mn­(RR′COCNtBu)₂]₂ in 9–75% yields. These complexes combine volatility and high thermal stability and have useful atomic layer deposition (ALD) precursor properties. Solution reactions between Ni, Co, and Mn complexes showed that BH₃(NHMe₂) can reduce all to metal powders. ALD growth of Ni, Co, Fe, and Cr films is demonstrated. Mn film growth may be possible, but the films oxidize completely upon exposure to air

Volatile and Thermally Stable Mid to Late Transition Metal Complexes Containing α‑Imino Alkoxide Ligands, a New Strongly Reducing Coreagent, and Thermal Atomic Layer Deposition of Ni, Co, Fe, and Cr Metal Films

Treatment of MCl₂ (M = Cu, Ni, Co, Fe, Mn, Cr) with 2 equiv of α-imino alkoxide salts K­(RR′COCNtBu) (R = Me, tBu; R′ = iPr, tBu) afforded M­(RR′COCNtBu)₂ or [Mn­(RR′COCNtBu)₂]₂ in 9–75% yields. These complexes combine volatility and high thermal stability and have useful atomic layer deposition (ALD) precursor properties. Solution reactions between Ni, Co, and Mn complexes showed that BH₃(NHMe₂) can reduce all to metal powders. ALD growth of Ni, Co, Fe, and Cr films is demonstrated. Mn film growth may be possible, but the films oxidize completely upon exposure to air