A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android Software

Sadeghi, Alireza; Bagheri, Hamid; Garcia, Joshua; Malek, Sam

doi:10.1109/tse.2016.2615307

Cited by 116 publications

(77 citation statements)

References 361 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this context, numerous efforts have proposed techniques and developed tools to detect different vulnerabilities (and malicious behavior) in Android apps. Given the number of proposed techniques and available tools, there have been recent efforts to assess the capabilities of these tools and techniques [Reaves et al, 2016, Sadeghi et al, 2017, Pauck et al, 2018. However, these assessments are subject to one or more of the following limiting factors:…”

Section: Motivationmentioning

confidence: 99%

“…Despite these differences, the effort by Reaves et al is closely related to our evaluation. Sadeghi et al [2017] conducted an exhaustive literature review of the use of program analysis techniques to address issues related to Android security. They identified trends, patterns, and gaps in existing literature along with the challenges and opportunities for future research.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Are free Android app security analysis tools effective in detecting known vulnerabilities?

Ranganath

Mitra

2019

Empir Software Eng

View full text Add to dashboard Cite

Increasing interest in securing the Android ecosystem has spawned numerous efforts to assist app developers in building secure apps. These efforts have resulted in tools and techniques capable of detecting vulnerabilities (and malicious behaviors) in apps. However, there has been no evaluation of the effectiveness of these tools and techniques in detecting known vulnerabilities. The absence of such evaluations puts app developers at a disadvantage when choosing security analysis tools to secure their apps.In this regard, we evaluated the effectiveness of vulnerability detection tools for Android apps. We considered 64 tools and empirically evaluated 14 vulnerability detection tools (incidentally along with five malicious behavior detection tools) against 42 known unique vulnerabilities captured by Ghera benchmarks, which are composed of both vulnerable and secure apps. Of the 24 observations from the evaluation, the main observation is existing vulnerability detection tools for Android apps are very limited in their ability to detect known vulnerabilities -all of the evaluated tools together could only detect 30 of the 42 known unique vulnerabilities.More effort is required if security analysis tools are to help developers build secure apps. We hope the observations from this evaluation will help app developers choose appropriate security analysis tools and persuade tool developers and researchers to identify and address limitations in their tools and techniques. We also hope this evaluation will catalyze or spark a conversation in the software engineering and security communities to require a more rigorous and explicit evaluation of security analysis tools and techniques.

show abstract

Section: Motivationmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Are free Android app security analysis tools effective in detecting known vulnerabilities?

Ranganath

Mitra

2019

Empir Software Eng

View full text Add to dashboard Cite

show abstract

“…Providing an overview of analysis tools for Android apps is the topic of three recent surveys [18,23,25]. These works collect and summarize tools and their functionality as outlined in research papers.…”

Section: Related Workmentioning

confidence: 99%

Do Android taint analysis tools keep their promises?

Pauck

Bodden

Wehrheim

2018

Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of

View full text Add to dashboard Cite

In recent years, researchers have developed a number of tools to conduct taint analysis of Android applications. While all the respective papers aim at providing a thorough empirical evaluation, comparability is hindered by varying or unclear evaluation targets. Sometimes, the apps used for evaluation are not precisely described. In other cases, authors use an established benchmark but cover it only partially. In yet other cases, the evaluations differ in terms of the data leaks searched for, or lack a ground truth to compare against. All those limitations make it impossible to truly compare the tools based on those published evaluations.We thus present ReproDroid, a framework allowing the accurate comparison of Android taint analysis tools. ReproDroid supports researchers in inferring the ground truth for data leaks in apps, in automatically applying tools to benchmarks, and in evaluating the obtained results. We use ReproDroid to comparatively evaluate on equal grounds the six prominent taint analysis tools Amandroid, DIALDroid, DidFail, DroidSafe, FlowDroid and IccTA. The results are largely positive although four tools violate some promises concerning features and accuracy. Finally, we contribute to the area of unbiased benchmarking with a new and improved version of the open test suite DroidBench.

show abstract

“…In other words, compromising security allows to compromise the other two concepts. Given this assumption, a sensible next step for categorising the extensive literature on static analysis is the work of Sadeghi et al who consider both security and privacy (data protection) in the context of the Android operating system and its software ecosystem [35]. They categorise different research approaches by considering the problems addressed ("what") and the solutions to the problems ("how").…”

Section: Background and Related Workmentioning

confidence: 99%

Annotation-Based Static Analysis for Personal Data Protection

Hjerppe¹,

Ruohonen

Leppänen

2020

Privacy and Identity Management. Data for Better Living: AI and Privacy

View full text Add to dashboard Cite

0000−0002−3737−4669] , Jukka Ruohonen 2[0000−0001−5147−3084] , Ville Leppänen 2 kalle.hjerppe@geniem.com, and Abstract. This paper elaborates the use of static source code analysis in the context of data protection. The topic is important for software engineering in order for software developers to improve the protection of personal data during software development. To this end, the paper proposes a design of annotating classes and functions that process personal data. The design serves two primary purposes: on one hand, it provides means for software developers to document their intent; on the other hand, it furnishes tools for automatic detection of potential violations. This dual rationale facilitates compliance with the General Data Protection Regulation (GDPR) and other emerging data protection and privacy regulations. In addition to a brief review of the state-of-the-art of static analysis in the data protection context and the design of the proposed analysis method, a concrete tool is presented to demonstrate a practical implementation for the Java programming language.

show abstract

A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android Software

Cited by 116 publications

References 361 publications

Are free Android app security analysis tools effective in detecting known vulnerabilities?

Are free Android app security analysis tools effective in detecting known vulnerabilities?

Do Android taint analysis tools keep their promises?

Annotation-Based Static Analysis for Personal Data Protection

Contact Info

Product

Resources

About