A model-based framework for inter-app Vulnerability analysis of Android applications

Nirumand, Atefeh; Zamani, Bahman; Tork-Ladani, Behrouz; Klein, Jacques; Bissyande, Tegawendé François D Assise

doi:10.1002/spe.3171

Download

Article (Scientific journals)

A model-based framework for inter-app Vulnerability analysis of Android applications

Nirumand, Atefeh; Zamani, Bahman; Tork-Ladani, Behrouz et al.

2022 • In Software: Practice and Experience, p. 1-42

Peer Reviewed verified by ORBi

Permalink
https://hdl.handle.net/10993/54304

DOI
10.1002/spe.3171

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

Softw Pract Exp - 2022 - Nirumand - A model‐based framework for inter‐app Vulnerability analysis of Android applications.pdf

Publisher postprint (6.6 MB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Disciplines :

Computer science

Author, co-author :

Nirumand, Atefeh; University of Isfahan

Zamani, Bahman; University of Isfahan

Tork-Ladani, Behrouz; University of Isfahan

Klein, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Bissyande, Tegawendé François D Assise ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

External co-authors :

yes

Language :

English

Title :

A model-based framework for inter-app Vulnerability analysis of Android applications

Publication date :

November 2022

Journal title :

Software: Practice and Experience

ISSN :

1097-024X

Publisher :

John Wiley & Sons, Hoboken, United States - New Jersey

Pages :

1-42

Peer reviewed :

Peer Reviewed verified by ORBi

Focus Area :

Security, Reliability and Trust

Available on ORBilu :

since 31 January 2023

Statistics

Number of views

36 (0 by Unilu)

Number of downloads

154 (4 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

WoS citations^™

Bibliography

Ranganath VP, Mitra J. Are free android app security analysis tools effective in detecting known vulnerabilities? Empir Softw Eng. 2020;25(1):178-219. doi:10.1007/s10664-019-09749-y
Hurier M. Creating Better Ground Truth to Further Understand Android Malware: A Large Scale Mining Approach Based on Antivirus Labels and Malicious Artifacts. PhD thesis, University of Luxembourg, Luxembourg; 2019.
Statista. Google play store: number of apps 2020; July 30; 2021. https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/
Hammad M. Self-Protection of Android Systems from Inter-Component Communication Attacks. PhD thesis, University of California, Irvine; 2018.
Sadeghi A. Efficient Permission-Aware Analysis of Android Apps. PhD thesis. University of California, Irvine; 2017.
Li L, Bissyandé TF, Papadakis M, et al. Static analysis of android apps: a systematic literature review. Inf Softw Technol. 2017;88:67-95. doi:10.1016/j.infsof.2017.04.001
Octeau D, McDaniel P, Jha S, et al. Effective inter-component communication mapping in android: an essential step towards holistic security analysis. Proceedings of the 22nd USENIX Security Symposium (USENIX Security 13); 2013; Washington, DC; LA-UR-13-26794.
Arzt S, Rasthofer S, Fritz C, et al. Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Not. 2014;49(6):259-269. doi:10.1145/2666356.2594299
Li L, Bartel A, Bissyandé TF, et al. IccTA: detecting inter-component privacy leaks in android apps. Proceedings of the 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering; 2015.
Bagheri H, Sadeghi A, Garcia J, Malek S. COVERT: compositional analysis of android inter-app permission leakage. IEEE Trans Softw Eng. 2015;41(9):866-886. doi:10.1109/TSE.2015.2419611
Wei F, Roy S, Ou X. Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. ACM Trans Priv Secur (TOPS). 2018;21(3):1-32. doi:10.1145/3183575
Wu T, Deng X, Yan J, Zhang J. Analyses for specific defects in android applications: a survey. Front Comput Sci. 2019;13:1210-1227. doi:10.1007/s11704-018-7008-1
Sadeghi A, Bagheri H, Garcia J, Malek S. A taxonomy and qualitative comparison of program analysis techniques for security assessment of android software. IEEE Trans Softw Eng. 2016;43(6):492-530. doi:10.1109/TSE.2016.2615307
Bagheri H, Wang J, Aerts J, Malek S. Efficient, evolutionary security analysis of interacting android apps. Proceedings of the 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME); 2018.
Reaves B, Bowers J, Gorski SA III, et al. Android: assessment and evaluation of android application analysis tools. ACM Comput Surv (CSUR). 2016;49(3):1-30. doi:10.1145/2996358
Pauck F, Bodden E, Wehrheim H. Do android taint analysis tools keep their promises? Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering; 2018.
Bruneliere H. Generic Model-based Approaches for Software Reverse Engineering and Comprehension. PhD thesis. Nantes University; 2018.
Sabir U, Azam F, Haq SU, Anwar MW, Butt WH, Amjad A. A model driven reverse engineering framework for generating high level UML models from java source code. IEEE Access. 2019;7:158931-158950. doi:10.1109/ACCESS.2019.2950884
Nirumand A, Zamani B, Tork LB. VAnDroid: a framework for vulnerability analysis of Android applications using a model-driven reverse engineering technique. Softw Pract Exp. 2019;49(1):70-99. doi:10.1002/spe.2643
Octeau D, Luchaup D, Dering M, Jha S, McDaniel P. Composite constant propagation: application to android inter-component communication analysis. Proceedings of the 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering; 2015.
Statista. Mobile OS market share 2021. Accessed July 30, 2021. https://www.statista.com/statistics/272698/global-market-share-held-by-mobile-operating-systems-since-2009/
Bhat P, Dutta K. A survey on various threats and current state of security in android platform. ACM Comput Surv. 2019;52(1):1-35. doi:10.1145/3301285
Chin E, Felt AP, Greenwood K, Wagner D. Analyzing inter-application communication in Android. Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services; 2011:239-252.
Ma C, Wang T, Shen L, Liang D, Chen S, You D. Communication-based attacks detection in android applications. Tsinghua Sci Technol. 2019;24(5):596-614. doi:10.26599/TST.2018.9010133
Samhi J, Bartel A, Bissyandé TF, Klein J. RAICC: revealing atypical inter-component communication in android apps. Proceedings of the 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE); 2021.
Android Developers. Context. Accessed July 3, 2021. https://developer.android.com/reference/android/content/Context
Android Developers. Pendingintent. Accessed July 3, 2021. https://developer.android.com/reference/android/app/PendingIntent
Android Developers. IntentSender. Accessed July 30, 2021. https://developer.android.com/reference/android/content/IntentSender
Six J. Application Security for the Android Platform: Processes, Permissions, and Other Safeguards. O'Reilly Media, Inc; 2011.
Jouault F, Allilaire F, Bézivin J, Kurtev I. ATL: a model transformation tool. Sci Comput Program. 2008;72(1-2):31-39. doi:10.1016/j.scico.2007.08.002
Eclipse Foundation. Eclipse Acceleo project. Accessed July 30, 2021. https://www.eclipse.org/acceleo/
Bruneliere H, Cabot J, Dupé G, Madiot F. MoDisco: a model driven reverse engineering framework. Inf Softw Technol. 2014;56(8):1012-1032. doi:10.1016/j.infsof.2014.04.007
Brambilla M, Cabot J, Wimmer M. Model-driven software engineering in practice. Synthesis lectures on software engineering; 2017.
Raibulet C, Fontana FA, Zanoni M. Model-driven reverse engineering approaches: a systematic literature review. IEEE Access. 2017;5:14516-14542. doi:10.1109/ACCESS.2017.2733518
Lu L, Li Z, Wu Z, Lee W, Jiang G. CHEX: statically vetting Android apps for component hijacking vulnerabilities. Proceedings of the 2012 ACM Conference on Computer and Communications Security; 2012:229-240.
Octeau D, Jha S, McDaniel P. Retargeting Android applications to Java bytecode. Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering; 2012:1-11.
Gordon MI, Kim D, Perkins JH, Gilham L, Nguyen N, Rinard MC. Information-flow analysis of android applications in DroidSafe. Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS); 2015.
Tiwari A, Groß S, Hammer C. IIFA: modular inter-app intent information flow analysis of android applications. Proceedings of the International Conference on Security and Privacy in Communication Systems; 2019:335-349.
Klieber W, Flynn L, Bhosale A, Jia L, Bauer L. Android taint flow analysis for app sets. Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis; 2014:1-6.
Jha AK, Lee S, Lee WJ. Modeling and test case generation of inter-component communication in android. Proceedings of the 2015 2nd ACM International Conference on Mobile Software Engineering and Systems; 2015:113-116.
Biswas S, Sharif K, Li F, Liu Y. 3P framework: customizable permission architecture for mobile applications. Proceedings of the International Conference on Wireless Algorithms, Systems, and Applications; 2017:445-456.
Biswas S, Haipeng W, Rashid J. Android permissions management at app installing. Int J Sec Appl. 2016;10(3):223-232. doi:10.14257/ijsia.2016.10.3.21
Hammad M, Bagheri H, Malek S. DelDroid: an automated approach for determination and enforcement of least-privilege architecture in android. J Syst Softw. 2019;149:83-100. doi:10.1016/j.jss.2018.11.049
Github. Jadx: Dex to Java decompiler. Accessed July 30, 2021. https://github.com/skylot/jadx
Android Developers. Intent and intent filters. Accessed July 30, 2021. https://developer.android.com/guide/components/intents-filters
Nirumand A, Zamani B, Tork L, et al. ATL rules and OCL queries implemented in VAnDroid2. Technical report, MDSE Research Group; 2022. https://mdse.ui.ac.ir/TR/UI-SE-MDSERG-2022-05.pdf.
Allix K, Bissyandé TF, Klein J, Le Traon Y. AndroZoo: collecting millions of android apps for the research community. Proceedings of the 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR); 2016:468-471.
GitHub. Secure-software-engineering/DroidBench. Accessed July 30, 2021. https://github.com/secure-software-engineering/DroidBench
GitHub. fgwei/ICC-Bench. Date Accessed: July 30, 2021. fgwei/ICC-Bench.
Qiu L, Wang Y, Rubin J. Analyzing the analyzers: FlowDroid/IccTA, AmanDroid, and DroidSafe. Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis; 2018:176-186.
Statistics. 55+ jaw dropping app usage statistics in 2021. Accessed July 30, 2021. https://techjury.net/blog/app-usage-statistics/
Statistics. Mobile app download and usage statistics (2021); Accessed July 30, 2021. https://buildfire.com/app-statistics/
Statistics. Most popular Google play app categories as of 1st quarter 2022. Accessed May 12, 2022. https://www.statista.com/statistics/279286/google-play-android-app-categories/
Pressman RS, Maxim BR. Software Engineering: A Practitioner's Approach. McGraw-Hill Higher Education; 2015.
Bosu A, Liu F, Yao D, Wang G. Collusive data leak and more: large-scale threat analysis of inter-app communications. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security; 2017:71-85.
Bondi AB. Characteristics of scalability and their impact on performance. Proceedings of the 2nd International Workshop on Software and Performance; 2000:195-203.
Clements PC. Software Architecture in Practice. Dissertation. Software Engineering Institute; 2002.
Bitbucket. Android-app-vulnerability-benchmarks. Accessed February 10, 2021. https://bitbucket.org/secure-it-i/may2018/src/master/vulevals/
What are the most critical android application vulnerabilities of 2021? Accessed May 14, 2022. https://www.hackingloops.com/most-critical-android-application-vulnerabilities/
OWASP. OWASP Top 10 – 2021. Accessed May 14, 2022. https://owasp.org/Top10/
Peck M, Northern C. Analyzing the effectiveness of app vetting tools in the enterprise. MITRE Corporation, Technical Report; 2016.