Joydeep Mitra,Venkatesh-Prasad Ranganath,Torben Amtoft,Mike Higgins

DOI: https://doi.org/10.48550/arXiv.2001.10052

2020-01-27

Software Engineering

Abstract:Mobile apps provide various critical services, such as banking, communication, and healthcare. To this end, they have access to our personal information and have the ability to perform actions on our behalf. Hence, securing mobile apps is crucial to ensuring the privacy and safety of its users. Recent research efforts have focused on developing solutions to secure mobile ecosystems (i.e., app platforms, apps, and app stores), specifically in the context of detecting vulnerabilities in Android apps. Despite this attention, known vulnerabilities are often found in mobile apps, which can be exploited by malicious apps to harm the user. Further, fixing vulnerabilities after developing an app has downsides in terms of time, resources, user inconvenience, and information loss. In an attempt to address this concern, we have developed SeMA, a mobile app development methodology that builds on existing mobile app design artifacts such as storyboards. With SeMA, security is a first-class citizen in an app's design -- app designers and developers can collaborate to specify and reason about the security properties of an app at an abstract level without being distracted by implementation level details. Our realization of SeMA using Android Studio tooling demonstrates the methodology is complementary to existing design and development practices. An evaluation of the effectiveness of SeMA shows the methodology can detect and help prevent 49 vulnerabilities known to occur in Android apps. Further, a usability study of the methodology involving ten real-world developers shows the methodology is likely to reduce the development time and help developers uncover and prevent known vulnerabilities while designing apps.

Anthony Peruma,Timothy Huo,Ana Catarina Araújo,Jake Imanaka,Rick Kazman

2024-08-17

Abstract:Mobile applications (apps) have become an essential part of everyday life, offering convenient access to services such as banking, healthcare, and shopping. With these apps handling sensitive personal and financial data, ensuring their security is paramount. While previous research has explored mobile app developer practices, there is limited knowledge about the common practices and challenges that developers face in securing their apps. Our study addresses this need through a global survey of 137 experienced mobile app developers, providing a developer-centric view of mobile app security. Our findings show that developers place high importance on security, frequently implementing features such as authentication and secure storage. They face challenges with managing vulnerabilities, permissions, and privacy concerns, and often rely on resources like Stack Overflow for help. Many developers find that existing learning materials do not adequately prepare them to build secure apps and provide recommendations, such as following best practices and integrating security at the beginning of the development process. We envision our findings leading to improved security practices, better-designed tools and resources, and more effective training programs.

Cryptography and Security,Software Engineering

Yajin Zhou,Kapil Singh,Xuxian Jiang

DOI: https://doi.org/10.1109/noms.2016.7502850

2016-01-01

Abstract:Mobile apps continue to consume increasing amounts of sensitive data, such as banking credentials and classified documents. At the same time, the number of smartphone thefts is increasing at a rapid speed. As a result, there is an imperative need to protect sensitive data on lost or stolen mobile devices. In this work, we develop a practical solution to protect sensitive data on mobile devices. Our solution enables adaptive protection by pro-actively stepping up or stepping down data security based on perceived contextual risk of the device. We realize our solution for the Android platform in the form of a system called AppShell. AppShell does not require root privilege, nor need any modification to the underlying framework, and hence is a ready-to-deploy solution. It supports both in-memory and on-disk data protection by transparently encrypting the data, and discarding the encryption key, when required, for enhanced protection. We implement a working prototype of AppShell and evaluate it against several popular Android apps. Our results show that AppShell can successfully protect sensitive data in the lost devices with a reasonable performance overhead.

Mohammad Ghafari,Pascal Gadient,Oscar Nierstrasz

DOI: https://doi.org/10.1109/SCAM.2017.24

2020-06-02

Abstract:The ubiquity of smartphones, and their very broad capabilities and usage, make the security of these devices tremendously important. Unfortunately, despite all progress in security and privacy mechanisms, vulnerabilities continue to proliferate. Research has shown that many vulnerabilities are due to insecure programming practices. However, each study has often dealt with a specific issue, making the results less actionable for practitioners. To promote secure programming practices, we have reviewed related research, and identified avoidable vulnerabilities in Android-run devices and the "security code smells" that indicate their presence. In particular, we explain the vulnerabilities, their corresponding smells, and we discuss how they could be eliminated or mitigated during development. Moreover, we develop a lightweight static analysis tool and discuss the extent to which it successfully detects several vulnerabilities in about 46,000 apps hosted by the official Android market.

Cryptography and Security,Software Engineering

Xiaoyu Sun

DOI: https://doi.org/10.48550/arXiv.2302.07467

2023-02-15

Abstract:Never before has any OS been so popular as Android. Existing mobile phones are not simply devices for making phone calls and receiving SMS messages, but powerful communication and entertainment platforms for web surfing, social networking, etc. Even though the Android OS offers powerful communication and application execution capabilities, it is riddled with defects (e.g., security risks, and compatibility issues), new vulnerabilities come to light daily, and bugs cost the economy tens of billions of dollars annually. For example, malicious apps (e.g., back-doors, fraud apps, ransomware, spyware, etc.) are reported [Google, 2022] to exhibit malicious behaviours, including privacy stealing, unwanted programs installed, etc. To counteract these threats, many works have been proposed that rely on static analysis techniques to detect such issues. However, static techniques are not sufficient on their own to detect such defects precisely. This will likely yield false positive results as static analysis has to make some trade-offs when handling complicated cases (e.g., object-sensitive vs. object-insensitive). In addition, static analysis techniques will also likely suffer from soundness issues because some complicated features (e.g., reflection, obfuscation, and hardening) are difficult to be handled [Sun et al., 2021b, Samhi et al., 2022].

Cryptography and Security,Software Engineering

Wei Yang,Xusheng Xiao,Rahul Pandita,William Enck,Tao Xie

DOI: https://doi.org/10.1145/2600176.2600208

2014-01-01

Abstract:To keep malware out of mobile application markets, existing techniques analyze the security aspects of application behaviors and summarize patterns of these security aspects to determine what applications do. However, user expectations (reflected via user perception in combination with user judgment) are often not incorporated into such analysis to determine whether application behaviors are within user expectations. This poster presents our recent work on bridging the semantic gap between user perceptions of the application behaviors and the actual application behaviors.

Thomas Sutter,Timo Kehrer,Marc Rennhard,Bernhard Tellenbach,Jacques Klein

DOI: https://doi.org/10.1109/access.2024.3390612

IF: 3.9

2024-04-27

IEEE Access

Abstract:Dynamic analysis is a technique that is used to fully understand the internals of a system at runtime. On Android, dynamic security analysis involves real-time assessment and active adaptation of an app's behaviour, and is used for various tasks, including network monitoring, system-call tracing, and taint analysis. The research on dynamic analysis has made significant progress in the past years. However, to the best of our knowledge, there is a lack in secondary studies that analyse the novel ideas and common limitations of current security research. The main aim of this work is to understand dynamic security analysis research on Android to present the current state of knowledge, highlight research gaps, and provide insights into the existing body of work in a structured and systematic manner. We conduct a systematic literature review (SLR) on dynamic security analysis for Android. The systematic review establishes a taxonomy, defines a classification scheme, and explores the impact of advanced Android app testing tools on security solutions in software engineering and security research. The study's key findings centre on tool usage, research objectives, constraints, and trends. Instrumentation and network monitoring tools play a crucial role, with research goals focused on app security, privacy, malware detection, and software testing automation. Identified limitations include code coverage constraints, security-related analysis obstacles, app selection adequacy, and non-deterministic behaviour. Our study results deepen the understanding of dynamic analysis in Android security research by an in-depth review of 43 publications. The study highlights recurring limitations with automated testing tools and concerns about detecting or obstructing dynamic analysis.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sen Chen,Lingling Fan,Guozhu Meng,Ting Su,Minhui Xue,Yinxing Xue,Yang Liu,Lihua Xu

DOI: https://doi.org/10.48550/arXiv.1805.05236

2020-02-18

Abstract:Mobile banking apps, belonging to the most security-critical app category, render massive and dynamic transactions susceptible to security risks. Given huge potential financial loss caused by vulnerabilities, existing research lacks a comprehensive empirical study on the security risks of global banking apps to provide useful insights and improve the security of banking apps. Since data-related weaknesses in banking apps are critical and may directly cause serious financial loss, this paper first revisits the state-of-the-art available tools and finds that they have limited capability in identifying data-related security weaknesses of banking apps. To complement the capability of existing tools in data-related weakness detection, we propose a three-phase automated security risk assessment system, named AUSERA, which leverages static program analysis techniques and sensitive keyword identification. By leveraging AUSERA, we collect 2,157 weaknesses in 693 real-world banking apps across 83 countries, which we use as a basis to conduct a comprehensive empirical study from different aspects, such as global distribution and weakness evolution during version updates. We find that apps owned by subsidiary banks are always less secure than or equivalent to those owned by parent banks. In addition, we also track the patching of weaknesses and receive much positive feedback from banking entities so as to improve the security of banking apps in practice. To date, we highlight that 21 banks have confirmed the weaknesses we reported. We also exchange insights with 7 banks, such as HSBC in UK and OCBC in Singapore, via in-person or online meetings to help them improve their apps. We hope that the insights developed in this paper will inform the communities about the gaps among multiple stakeholders, including banks, academic researchers, and third-party security companies.

Cryptography and Security

Ikram Ul Haq,Tamim Ahmed Khan

DOI: https://doi.org/10.1109/access.2021.3088229

IF: 3.9

2021-01-01

IEEE Access

Abstract:The invention of smartphones has opened a new market for mobile application development. Amateur android app developers often do not possess knowledge of the latest android vulnerabilities and thus create applications with attack surface that hackers exploit. In this literature review, many available frameworks and techniques have been analyzed using ISO/IEC 25010 software quality model and identified challenges that android developers face in designing a secure application for android. This paper also presents a comprehensive survey of different penetration tools, evaluated by using criteria such as code analysis, code review, vulnerability analysis, vulnerability exploit, payload and whether these can be used in vulnerability modeling during the design phase. Our study effectively identifies the issues and gaps which can further help develop a framework/tool for designing a penetration secure mobile application by embedding all the vulnerabilities during the design phase using an android vulnerability repository.

computer science, information systems,telecommunications,engineering, electrical & electronic

Kris Heid,Jens Heider

DOI: https://doi.org/10.1145/3487405.3487652

2021-11-10

Abstract:Smartphones apps aid humans in plenty of situations. There exists an app for everything. However, without the user’s awareness, some apps contain vulnerabilities or leak private data. Static and dynamic app analysis are ways to find these software properties. Especially setting up a dynamic analysis environment is not a trivial task. Several peculiarities of Android have to be considered, existing tools for different aspects have to be evaluated, selected and setup to work together. Existing literature is often outdated and only covers tools for one aspect but doesn’t combine them together in a big picture. This paper presents a generic design for an automated dynamic app analysis environment and highlights the required components as well as functionality to reveal security and privacy issues. Available tools are listed, realizing different aspects of the proposed environment design. Tool features are evaluated and tool usability for an automated large scale dynamic app analysis is compared. This document should serve as a reference to all who need to implement dynamic analysis on Android (or some aspects) and require an overview of available and usable solutions.

Weixian Yao,Yexuan Li,Weiye Lin,Tianhui Hu,Imran Chowdhury,Rahat Masood,Suranga Seneviratne

DOI: https://doi.org/10.48550/arXiv.2007.03905

2020-07-08

Abstract:Third-party security apps are an integral part of the Android app ecosystem. Many users install them as an extra layer of protection for their devices. There are hundreds of such security apps, both free and paid in Google Play Store and some of them are downloaded millions of times. By installing security apps, the smartphone users place a significant amount of trust towards the security companies who developed these apps, because a fully functional mobile security app requires access to many smartphone resources such as the storage, text messages and email, browser history, and information about other installed applications. Often these resources contain highly sensitive personal information. As such, it is essential to understand the mobile security apps ecosystem to assess whether is it indeed beneficial to install them. To this end, in this paper, we present the first empirical study of Android security apps. We analyse 100 Android security apps from multiple aspects such as metadata, static analysis, and dynamic analysis and presents insights to their operations and behaviours. Our results show that 20% of the security apps we studied potentially resell the data they collect from smartphones to third parties; in some cases, even without the user consent. Also, our experiments show that around 50% of the security apps fail to identify malware installed on a smartphone.

Cryptography and Security

Bin Zhao

DOI: https://doi.org/10.5121/ijnsa.2019.11403

2019-01-01

Abstract:Millions of developers and third-party organizations have flooded into the Android ecosystem due to Android’s open-source feature and low barriers to entry for developers. .However, that also attracts many attackers. Over 90 percent of mobile malware is found targeted on Android. Though Android provides multiple security features and layers to protect user data and system resources, there are still some overprivileged applications in Google Play Store or third-party Android app stores at wild. In this paper, we proposed an approach to map system level behavior and Android APIs, based on the observation that system level behaviors cannot be avoided but sensitive Android APIs could be evaded. To the best of our knowledge, our approach provides the first work to decompose Android application behaviors based on system-level behaviors. We then map system level behaviors and Android APIs through System Call Dependence Graphs. The study also shows that our approach can effectively identify potential permission abusing, with an almost negligible performance impact.

Shishuai Yang,Qinsheng Hou,Shuang Li,Fenghao Xu,Wenrui Diao

DOI: https://doi.org/10.1007/s10664-024-10559-0

IF: 3.762

2024-10-29

Empirical Software Engineering

Abstract:The popularity of Android OS is largely credited to massive number of apps, and many app developers are involved in this ecosystem. On the other hand, various vulnerabilities are introduced into apps by developers carelessly, bringing security risks to users. To facilitate secure development and avoid common API misuses, Google provides a series of security guidelines and development practices for developers on official developer community websites. However, the adoption rate of these security guidelines in the real-world has not been systematically evaluated. In this work, through large-scale app measurement (108,091 apps from Google Play) and analysis, we investigated whether app developers follow the official Android security guidelines and the possible reasons behind it. In practice, we selected nine guidelines and mapped them to four OWASP MASVS control groups ( MASVS-STORAGE , MASVS-NETWORK , MASVS-PLATFORM , and MASVS-CODE ) as representatives, covering: (1) sensitive data storage; (2) validation check for file paths; (3) network security measures; (4) custom permission protection; (5) webview objects usage; (6) intent vulnerability; (7) secure file creation modes; (8) hardware ID usage; (9) man-in-the-middle attacks. We also designed the corresponding detection strategies to identify violations of the guidelines. The results show that most developers (> 90%) comply with Guidelines 1 and 7. However, some guidelines have not been followed properly. For Guidelines 2, 3, 4, 5, 6, and 8, less than 60% of developers followed Google security suggestions.

computer science, software engineering

Ashley Allen,Alexios Mylonas,Stilianos Vidalis,Dimitris Gritzalis

DOI: https://doi.org/10.3390/s24175465

IF: 3.9

2024-08-25

Sensors

Abstract:Smart security devices, such as smart locks, smart cameras, and smart intruder alarms are increasingly popular with users due to the enhanced convenience and new features that they offer. A significant part of this convenience is provided by the device's companion smartphone app. Information on whether secure and ethical development practices have been used in the creation of these applications is unavailable to the end user. As this work shows, this means that users are impacted both by potential third-party attackers that aim to compromise their device, and more subtle threats introduced by developers, who may track their use of their devices and illegally collect data that violate users' privacy. Our results suggest that users of every application tested are susceptible to at least one potential commonly found vulnerability regardless of whether their device is offered by a known brand name or a lesser-known manufacturer. We present an overview of the most common vulnerabilities found in the scanned code and discuss the shortcomings of state-of-the-art automated scanners when looking at less structured programming languages such as C and C++. Finally, we also discuss potential methods for mitigation, and provide recommendations for developers to follow with respect to secure coding practices.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Asaf Shabtai,Dudu Mimran,Yuval Elovici

DOI: https://doi.org/10.48550/arXiv.1502.04870

2015-02-17

Cryptography and Security

Abstract:With the increasing usage of smartphones a plethora of security solutions are being designed and developed. Many of the security solutions fail to cope with advanced attacks and are not aways properly designed for smartphone platforms. Therefore, there is a need for a methodology to evaluate their effectiveness. Since the Android operating system has the highest market share today, we decided to focus on it in this study in which we review some of the state-of-the-art security solutions for Android-based smartphones. In addition, we present a set of evaluation criteria aiming at evaluating security mechanisms that are specifically designed for Android-based smartphones. We believe that the proposed framework will help security solution designers develop more effective solutions and assist security experts evaluate the effectiveness of security solutions for Android-based smartphones.

Xiaoyu Sun,Xiao Chen,Li Li,Haipeng Cai,John Grundy,Jordan Samhi,Tegawendé F. Bissyandé,Jacques Klein

DOI: https://doi.org/10.48550/arXiv.2210.10997

2022-10-20

Abstract:Security of Android devices is now paramount, given their wide adoption among consumers. As researchers develop tools for statically or dynamically detecting suspicious apps, malware writers regularly update their attack mechanisms to hide malicious behavior implementation. This poses two problems to current research techniques: static analysis approaches, given their over-approximations, can report an overwhelming number of false alarms, while dynamic approaches will miss those behaviors that are hidden through evasion techniques. We propose in this work a static approach specifically targeted at highlighting hidden sensitive operations, mainly sensitive data flows. The prototype version of HiSenDroid has been evaluated on a large-scale dataset of thousands of malware and goodware samples on which it successfully revealed anti-analysis code snippets aiming at evading detection by dynamic analysis. We further experimentally show that, with FlowDroid, some of the hidden sensitive behaviors would eventually lead to private data leaks. Those leaks would have been hard to spot either manually among the large number of false positives reported by the state of the art static analyzers, or by dynamic tools. Overall, by putting the light on hidden sensitive operations, HiSenDroid helps security analysts in validating potential sensitive data operations, which would be previously unnoticed.

Cryptography and Security,Software Engineering

Wei YANG,Xusheng XIAO,Dengfeng LI,Huoran LI,Xuanzhe LIU,Haoyu WANG,Yao GUO,Tao XIE

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.02.001

2016-01-01

Abstract:With the increasing popularity of mobile apps, security incidents of mobile apps frequently occur. Accurately identifying security threats among billions of mobile apps has become an important and difficult topic in information secu-rity. In the meantime, the increasing number of mobile apps leads to a massive amount of mobile security data, which ena-bles security analytics for mobile apps. In this article, we illustrate recent research achievements on mobile security ana-lytics from five different perspectives:User Interface (UI) analytics, identification of repackage apps, consistency check-ing between apps functionality and security behaviors, context-sensitive detection of malicious behaviors, and client app management/usage. We also discuss future directions on security analytics for mobile apps, along with challenges in these directions.

Timothy Huo,Ana Catarina Araújo,Jake Imanaka,Anthony Peruma,Rick Kazman

2024-09-14

Abstract:The widespread use of smartphones and tablets has made society heavily reliant on mobile applications (apps) for accessing various resources and services. These apps often handle sensitive personal, financial, and health data, making app security a critical concern for developers. While there is extensive research on software security topics like malware and vulnerabilities, less is known about the practical security challenges mobile app developers face and the guidance they seek. In this study, we mine Stack Overflow for questions on mobile app security, which we analyze using quantitative and qualitative techniques. The findings reveal that Stack Overflow is a major resource for developers seeking help with mobile app security, especially for Android apps, and identifies seven main categories of security questions: Secured Communications, Database, App Distribution Service, Encryption, Permissions, File-Specific, and General Security. Insights from this research can inform the development of tools, techniques, and resources by the research and vendor community to better support developers in securing their mobile apps.

Cryptography and Security,Software Engineering

Wei Guo

DOI: https://doi.org/10.1145/3321408.3321418

2019-05-17

Abstract:Most mobile Internet application security issues are introduced in the development process. How to effectively prevent security problems and solve them as soon as possible in the development process of mobile application development is the key to the security of mobile Internet. This paper introduces the design and implementation of a management and control platform for secure mobile application development. For Android applications and iOS applications, security standards are provided for different application types in the form of security baselines, and the application security baseline standards are managed in the form of security knowledge base. The security baseline points are mapped to specific application security technical specifications and security verification technical points. It provides an effective solution for secure mobile application development.

A. Shabtai,Y. Fledel,U. Kanonov,Y. Elovici,S. Dolev

DOI: https://doi.org/10.48550/arXiv.0912.5101

2009-12-27

Cryptography and Security

Abstract:Google's Android is a comprehensive software framework for mobile communication devices (i.e., smartphones, PDAs). The Android framework includes an operating system, middleware and a set of key applications. The incorporation of integrated access services to the Internet on such mobile devices, however, increases their exposure to damages inflicted by various types of malware. This paper provides a comprehensive security assessment of the Android framework and the security mechanisms incorporated into it. A methodological qualitative risk analysis that we conducted identifies the high-risk threats to the framework and any potential danger to information or to the system resulting from vulnerabilities that have been uncovered and exploited. Our review of current academic and commercial solutions in the area of smartphone security yields a list of applied and recommended defense mechanisms for hardening mobile devices in general and the Android in particular. Lastly, we present five major (high-risk) threats to the Android framework and propose security solutions to mitigate them. We conclude by proposing a set of security mechanisms that should be explored and introduced into Android-powered devices.