Article

Android Code Vulnerabilities Early Detection Using AI-Powered ACVED Plugin

Authors:

Janaka Senanayake,

Harsha Kalutarage,

Mhd Omar Al-Kadri,

Andrei Petrovski,

Luca PirasAuthors Info & Claims

Data and Applications Security and Privacy XXXVII: 37th Annual IFIP WG 11.3 Conference, DBSec 2023, Sophia-Antipolis, France, July 19–21, 2023, Proceedings

Pages 339 - 357

https://doi.org/10.1007/978-3-031-37586-6_20

Published: 19 July 2023 Publication History

Abstract

During Android application development, ensuring adequate security is a crucial and intricate aspect. However, many applications are released without adequate security measures due to the lack of vulnerability identification and code verification at the initial development stages. To address this issue, machine learning models can be employed to automate the process of detecting vulnerabilities in the code. However, such models are inadequate for real-time Android code vulnerability mitigation. In this research, an open-source AI-powered plugin named Android Code Vulnerabilities Early Detection (ACVED) was developed using the LVDAndro dataset. Utilising Android source code vulnerabilities, the dataset is categorised based on Common Weakness Enumeration (CWE). The ACVED plugin, featuring an ensemble learning model, is implemented in the backend to accurately and efficiently detect both source code vulnerabilities and their respective CWE categories, with a 95% accuracy rate. The model also leverages explainable AI techniques to provide source code vulnerability prediction probabilities for each word. When integrated with Android Studio, the ACVED plugin can provide developers with the vulnerability status of their current source code line in real-time, assisting them in mitigating vulnerabilities. The plugin, model, and scripts can be found on GitHub, and it receives regular updates with new training data from the LVDAndro dataset, enabling the detection of novel vulnerabilities recently added to CWE.

References

[1]

Albakri, A., et al.: Survey on reverse-engineering tools for android mobile devices. Math. Probl. Eng. 2022 (2022).

[2]

Bhatnagar, P.: Explainable AI (XAI) - a guide to 7 packages in Python to explain your models (2021). https://towardsdatascience.com/explainable-ai-xai-a-guide-to-7-packages_in-python-to-explain-your-models-932967f0634b. Accessed 03 Feb 2023

[3]

Corporation, M.: Common weakness enumeration (CWE) (2023). https://cwe.mitre.org/. Accessed 01 Feb 2023

[4]

Corporation, M.: CVE details (2023). https://www.cvedetails.com/. Accessed 01 Feb 2023

[5]

Gajrani J, Tripathi M, Laxmi V, Somani G, Zemmari A, and Gaur MS Vulvet: vetting of vulnerabilities in android apps to thwart exploitation Digit. Threats Res. Pract. 2020 1 2 1-25

[6]

Garg, S., Baliyan, N.: Android security assessment: a review, taxonomy and research gap study. Comput. Secur. 100, 102087 (2021). j.cose.2020.102087

[7]

Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv. 50(4) (Aug 2017).

[8]

Kouliaridis V and Kambourakis G A comprehensive survey on machine learning techniques for android malware detection Information 2021 12 5 185

[9]

Krasner, H.: The cost of poor software quality in the us: a 2020 report. In: Proceedings of Consortium Information and Software QualityTM (CISQTM) (2021)

[10]

Mahindru, A., Singh, P.: Dynamic permissions based android malware detection using machine learning techniques. In: Proceedings of the 10th Innovations in Software Engineering Conference, pp. 202–210 (2017).

[11]

McDermid JA, Jia Y, Porter Z, and Habli I Artificial intelligence explainability: the technical and ethical dimensions Phil. Trans. R. Soc. A 2021 379 2207 20200363

[12]

Mitra, J., Ranganath, V.P.: Ghera: A repository of android app vulnerability benchmarks. In: Proceedings of the 13th International Conference on Predictive Models and Data Analytics in Software Engineering, pp. 43–52. PROMISE, Association for Computing Machinery, New York, NY, USA (2017).

[13]

Nagaria B and Hall T How software developers mitigate their errors when developing code IEEE Trans. Softw. Eng. 2022 48 6 1853-1867

[14]

Namrud, Z., Kpodjedo, S., Talhi, C.: Androvul: a repository for android security vulnerabilities. In: Proceedings of the 29th Annual International Conference on Computer Science and Software Engineering, pp. 64–71. IBM Corp., USA (2019). https://dl.acm.org/doi/abs/10.5555/3370272.3370279

[15]

NIST: National vulnerability database (2023). https://nvd.nist.gov/vuln. Accessed 21 Feb 2023

[16]

Rajapaksha, S., Senanayake, J., Kalutarage, H., Al-Kadri, M.O.: Ai-powered vulnerability detection for secure source code development. In: Bella, G., Doinea, M., Janicke, H. (eds.) SecITC 2022. LNCS, vol. 13809, pp. 275–288. Springer, Cham (2023).

[17]

Senanayake J, Kalutarage H, and Al-Kadri MO Android mobile malware detection using machine learning: a systematic review Electronics 2021 10 13 1606

[18]

Senanayake, J., Kalutarage, H., Al-Kadri, M.O., Petrovski, A., Piras, L.: Developing secured android applications by mitigating code vulnerabilities with machine learning. In: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security. ASIA CCS ’22, pp. 1255–1257. Association for Computing Machinery, New York, NY, USA (2022).

[19]

Senanayake, J., Kalutarage, H., Al-Kadri, M.O., Petrovski, A., Piras, L.: Android source code vulnerability detection: a systematic literature review. ACM Comput. Surv. 55(9) (2023).

[20]

Senanayake, J., Kalutarage, H., Al-Kadri, M.O., Petrovski, A., Piras, L.: Labelled vulnerability dataset on android source code (lvdandro) to develop AI-based code vulnerability detection models. In: Proceedings of the 20th International Conference on Security and Cryptography - SECRYPT (2023, accepted)

[21]

Shezan, F.H., Afroze, S.F., Iqbal, A.: Vulnerability detection in recent android apps: an empirical study. In: 2017 International Conference on Networking, Systems and Security (NSysS), pp. 55–63. IEEE, Dhaka, Bangladesh (2017).

[22]

Srivastava, G., et al.: XAI for cybersecurity: state of the art, challenges, open issues and future directions (2022).

[23]

Statcounter: Mobile operating system market share worldwide (2023). https://gs.statcounter.com/os-market-share/mobile/worldwide/. Accessed 01 Apr 2023

[24]

Statista: Average number of new android app releases via google play per month from March 2019 to March 2023 (2023). https://www.statista.com/statistics/1020956/android-app-releases-worldwide/. Accessed 03 Apr 2022

[25]

Tang, J., Li, R., Wang, K., Gu, X., Xu, Z.: A novel hybrid method to analyze security vulnerabilities in android applications. Tsinghua Sci. Technol. 25(5), 589–603 (2020).

[26]

Thomas, G., Devi, A.: A study and overview of the mobile app development industry. Int. J. Appl. Eng. Manag. Lett. 115–130 (2021).

[27]

de Vicente Mohino, J., Bermejo Higuera, J., Bermejo Higuera, J.R., Sicilia Montalvo, J.A.: The application of a new secure software development life cycle (s-sdlc) with agile methodologies. Electronics 8(11) (2019).

[28]

Zhuo, L., Zhimin, G., Cen, C.: Research on android intent security detection based on machine learning. In: 2017 4th International Conference on Information Science and Control Engineering (ICISCE), pp. 569–574. IEEE (2017).

Cited By

Nguyen TPham NDoan HTran KTran BHuynh KTran NVo K(2024)Dissecting Data Practices in Android Apps: A Comparative Study of Data Collection and Sharing BehaviorsIntelligent Data Engineering and Automated Learning – IDEAL 202410.1007/978-3-031-77731-8_2(15-26)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1007/978-3-031-77731-8_2
Phan TPham NHieu DTran KTran BLe BNgan NPhu T(2024)Evaluating Third-Party Involvement in Android Apps: Norms and Anomalies in Usage PatternsMobile Web and Intelligent Information Systems10.1007/978-3-031-68005-2_9(114-127)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68005-2_9
Senanayake JKalutarage HPetrovski AAl-Kadri MPiras L(2023)FedREVAN: Real-time DEtection of Vulnerable Android Source Code Through Federated Neural Network with XAIComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54129-2_25(426-441)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-54129-2_25
Show More Cited By

Recommendations

FedREVAN: Real-time DEtection of Vulnerable Android Source Code Through Federated Neural Network with XAI
Computer Security. ESORICS 2023 International Workshops
Abstract
Adhering to security best practices during the development of Android applications is of paramount importance due to the high prevalence of apps released without proper security measures. While automated tools can be employed to address ...
Android Plugin Becomes a Catastrophe to Android Ecosystem
RESEC '18: Proceedings of the First Workshop on Radical and Experiential Security

The Android Plugin is a new application-level virtualization technology in Android system. Android Plugin allows a host app to create a virtual environment, in which any other APK files can be directly launched as runnable plugins without the ...
Android Malware Static Analysis Techniques
CISR '15: Proceedings of the 10th Annual Cyber and Information Security Research Conference

During 2014, Business Insider announced that there are over a billion users of Android worldwide. Government officials are also trending towards acquiring Android mobile devices. Google's application architecture is already ubiquitous and will keep ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Data and Applications Security and Privacy XXXVII: 37th Annual IFIP WG 11.3 Conference, DBSec 2023, Sophia-Antipolis, France, July 19–21, 2023, Proceedings

Jul 2023

414 pages

ISBN:978-3-031-37585-9

DOI:10.1007/978-3-031-37586-6

Editors:
Vijayalakshmi Atluri
Rutgers University, Newark, NJ, USA
,
Anna Lisa Ferrara
University of Molise, Campobasso, Italy

© IFIP International Federation for Information Processing 2023.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 19 July 2023

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Nguyen TPham NDoan HTran KTran BHuynh KTran NVo K(2024)Dissecting Data Practices in Android Apps: A Comparative Study of Data Collection and Sharing BehaviorsIntelligent Data Engineering and Automated Learning – IDEAL 202410.1007/978-3-031-77731-8_2(15-26)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1007/978-3-031-77731-8_2
Phan TPham NHieu DTran KTran BLe BNgan NPhu T(2024)Evaluating Third-Party Involvement in Android Apps: Norms and Anomalies in Usage PatternsMobile Web and Intelligent Information Systems10.1007/978-3-031-68005-2_9(114-127)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68005-2_9
Senanayake JKalutarage HPetrovski AAl-Kadri MPiras L(2023)FedREVAN: Real-time DEtection of Vulnerable Android Source Code Through Federated Neural Network with XAIComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54129-2_25(426-441)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-54129-2_25
Rajapaksha SSenanayake JKalutarage HAl-Kadri M(2023)Enhancing Security Assurance in Software Development: AI-Based Vulnerable Code Detection with Static AnalysisComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54129-2_20(341-356)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-54129-2_20

View Options

View options

Media

Figures

Other

Tables

View Table of Contents