short-paper

AUSERA: Automated Security Vulnerability Detection for Android Apps

Authors:

Yang LiuAuthors Info & Claims

ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering

Article No.: 154, Pages 1 - 5

https://doi.org/10.1145/3551349.3559524

Published: 05 January 2023 Publication History

Abstract

To reduce the attack surface from app source code, massive tools focus on detecting security vulnerabilities in Android apps. However, some obvious weaknesses have been highlighted in the previous studies. For example, (1) most of the available tools such as AndroBugs, MobSF, Qark, and Super use pattern-based methods to detect security vulnerabilities. Although they are effective in detecting some types of vulnerabilities, a large number of false positives would be introduced, which inevitably increases the patching overhead for app developers. (2) Similarly, static taint analysis tools such as FlowDroid and IccTA present hundreds of vulnerability candidates of data leakage instead of confirmed vulnerabilities. (3) Last but not least, a relatively complete vulnerability taxonomy is missing, which would introduce a lot of false negatives. In this paper, based on our prior knowledge in this research domain, we empirically propose a vulnerability taxonomy as the baseline and then extend AUSERA by augmenting the detection capability to 50 security vulnerability types. Meanwhile, a new benchmark dataset including all these 50 vulnerability types is constructed to demonstrate the effectiveness of AUSERA. The tool and datasets are available at https://github.com/tjusenchen/AUSERA and the demonstration video can be found at https://youtu.be/UCiGwVaFPpY.

References

[1]

2015. AndroBugs. https://github.com/AndroBugs/AndroBugs_Framework

[2]

2016. DIVA App. https://github.com/payatu/diva-android

[3]

2017. JAADAS. https://github.com/flankerhqd/JAADAS

[4]

2018. Qark. https://github.com/linkedin/qark

[5]

2018. Super. https://github.com/SUPERAndroidAnalyzer/super

[6]

2020. MSTG App. https://github.com/OWASP/MSTG-Hacking-Playground

[7]

2022. Common Weakness Enumeration: CWE. https://cwe.mitre.org/

[8]

2022. CVE. https://cve.mitre.org/

[9]

2022. Mobile NIST. https://www.nist.gov/mobile

[10]

2022. MobSF. https://github.com/MobSF/Mobile-Security-Framework-MobSF

[11]

2022. OWASP. https://owasp.org/

[12]

2022. Scantist Pte. Ltd.https://scantist.io/

[13]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Notices 49, 6 (2014), 259–269.

Digital Library

[14]

Sen Chen, Lingling Fan, Chunyang Chen, and Yang Liu. 2022. Automatically Distilling Storyboard with Rich Features for Android Apps. IEEE Transactions on Software Engineering(2022).

[15]

Sen Chen, Lingling Fan, Chunyang Chen, Ting Su, Wenhe Li, Yang Liu, and Lihua Xu. 2019. Storydroid: Automated generation of storyboard for Android apps. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 596–607.

Digital Library

[16]

Sen Chen, Lingling Fan, Guozhu Meng, Ting Su, Minhui Xue, Yinxing Xue, Yang Liu, and Lihua Xu. 2020. An empirical assessment of security risks of global Android banking apps. In 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE). IEEE, 1310–1322.

Digital Library

[17]

Sen Chen, Ting Su, Lingling Fan, Guozhu Meng, Minhui Xue, Yang Liu, and Lihua Xu. 2018. Are mobile banking apps secure? what can be improved?. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 797–802.

Digital Library

[18]

Li Li, Alexandre Bartel, Tegawendé F Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2015. Iccta: Detecting inter-component privacy leaks in Android apps. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. IEEE, 280–291.

[19]

Xian Zhan, Lingling Fan, Sen Chen, Feng We, Tianming Liu, Xiapu Luo, and Yang Liu. 2021. ATVhunter: Reliable Version Detection of Third-party Libraries for Vulnerability Identification in Android Applications. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 1695–1707.

[20]

Xian Zhan, Lingling Fan, Tianming Liu, Sen Chen, Li Li, Haoyu Wang, Yifei Xu, Xiapu Luo, and Yang Liu. 2020. Automated third-party library detection for Android applications: Are we there yet?. In 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 919–930.

Digital Library

Cited By

Wongsuna VNgamsuriyaroj S(2024)Security Analysis of Android Applications for Hotel and Flight Booking Applications2024 26th International Conference on Advanced Communications Technology (ICACT)10.23919/ICACT60172.2024.10472010(01-06)Online publication date: 4-Feb-2024
https://doi.org/10.23919/ICACT60172.2024.10472010
Das TAli AMikkonen T(2024)Taxonomy of Security-related Issues in Android Apps: An Empirical StudyProceedings of the 2024 Workshop on Replications and Negative Results10.1145/3695750.3695824(8-14)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3695750.3695824
Das TAli AMikkonen TFilkov VRay BZhou M(2024)Taxonomy of Security-related Issues in Android Apps: An Empirical StudyProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694929(15-21)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691621.3694929
Show More Cited By

Index Terms

AUSERA: Automated Security Vulnerability Detection for Android Apps
1. Security and privacy
  1. Software and application security

Recommendations

Security testing of second order permission re-delegation vulnerabilities in Android apps
MOBILESoft '20: Proceedings of the IEEE/ACM 7th International Conference on Mobile Software Engineering and Systems

In Android, inter-app communication is a cornerstone feature where apps exchange special messages called Intents in order to integrate with each other and deliver a rich end-user experience. In particular, in case an app is granted special permission, ...
Automated Software Vulnerability Detection in Statement Level using Vulnerability Reports
EASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering

Software vulnerabilities are flaws in a product that compromise system security. In large software systems, developers struggle to find particular vulnerable statements from vulnerable functions when new vulnerabilities arise. Existing research ...
Release practices for iOS and Android apps
WAMA 2019: Proceedings of the 3rd ACM SIGSOFT International Workshop on App Market Analytics

We conduct a preliminary study on the practices of releasing apps for the two major mobile platforms: iOS and Android. We select the most popular applications on the official stores, and we retrieve all the releases of such apps to understand how often ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering

October 2022

2006 pages

ISBN:9781450394758

DOI:10.1145/3551349

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 January 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper
Research
Refereed limited

Funding Sources

National Natural Science Foundation of China

Conference

ASE '22

ASE '22: 37th IEEE/ACM International Conference on Automated Software Engineering

October 10 - 14, 2022

MI, Rochester, USA

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
406
Total Downloads

Downloads (Last 12 months)167
Downloads (Last 6 weeks)22

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wongsuna VNgamsuriyaroj S(2024)Security Analysis of Android Applications for Hotel and Flight Booking Applications2024 26th International Conference on Advanced Communications Technology (ICACT)10.23919/ICACT60172.2024.10472010(01-06)Online publication date: 4-Feb-2024
https://doi.org/10.23919/ICACT60172.2024.10472010
Das TAli AMikkonen T(2024)Taxonomy of Security-related Issues in Android Apps: An Empirical StudyProceedings of the 2024 Workshop on Replications and Negative Results10.1145/3695750.3695824(8-14)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3695750.3695824
Das TAli AMikkonen TFilkov VRay BZhou M(2024)Taxonomy of Security-related Issues in Android Apps: An Empirical StudyProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694929(15-21)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691621.3694929
Zhu JLi KChen SFan Lwang jXie X(2024)A Comprehensive Study on Static Application Security Testing (SAST) Tools for AndroidIEEE Transactions on Software Engineering10.1109/TSE.2024.3488041(1-18)Online publication date: 2024
https://doi.org/10.1109/TSE.2024.3488041
Zhu HChen XWang LXu ZSheng V(2024)A Dynamic Analysis-Powered Explanation Framework for Malware DetectionIEEE Transactions on Knowledge and Data Engineering10.1109/TKDE.2024.343689136:12(7483-7496)Online publication date: Dec-2024
https://doi.org/10.1109/TKDE.2024.3436891
Zhang YChen SFan LGrundy J(2023)A Web-Based Tool for Using Storyboard of Android AppsProceedings of the 45th International Conference on Software Engineering: Companion Proceedings10.1109/ICSE-Companion58688.2023.00037(117-121)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE-Companion58688.2023.00037
Zhang XFan LChen SSu YLi BBissyandé TKlein JBird CSarro F(2023)Scene-Driven Exploration and GUI Modeling for Android AppsProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00179(1251-1262)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00179
Cam NHuy TTan VNguyen PVo S(2023)Android Application Behavior Monitor by Using Hooking TechniquesIntelligent Computing and Optimization10.1007/978-3-031-50327-6_34(325-333)Online publication date: 16-Dec-2023
https://doi.org/10.1007/978-3-031-50327-6_34
Khiem HNam TTriet MHuong HKhoa TBao QPhuc NHieu MLoc VQuy TAnh NHien QBang LTrong DNgan NSon HHong K(2023)Applying Blockchain Technology for Privacy Preservation in Android PlatformsWeb Services – ICWS 202310.1007/978-3-031-44836-2_4(47-61)Online publication date: 23-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-44836-2_4
Shi XXie XLi YZhang YChen SLi XRoychoudhury ACadar CKim M(2022)Large-scale analysis of non-termination bugs in real-world OSS projectsProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3549129(256-268)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3540250.3549129
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten