Are Free Android App Security Analysis Tools Effective in Detecting Known Vulnerabilities? release_sh6pzd75ofadvdafyh76pjmqoi

by Venkatesh-Prasad Ranganath, Joydeep Mitra

Released as a article .

2018  

Abstract

Increasing interest in securing Android ecosystem has spawned numerous efforts to assist app developers in building secure apps. These efforts have resulted in tools and techniques capable of detecting vulnerabilities (and malicious behaviors) in apps. However, there has been no evaluation of the effectiveness of these tools and techniques in detecting known vulnerabilities. Absence of such evaluations puts app developers at a disadvantage when choosing security analysis tools to secure their apps. In this regard, we evaluated the effectiveness of vulnerability detection tools for Android apps. We considered 64 tools and empirically evaluated 14 vulnerability detection tools (incidentally along with 5 malicious behavior detection tools) against 42 known unique vulnerabilities captured by Ghera benchmarks, which are composed of both vulnerable and secure apps. Of the 24 observations from the evaluation, the key observation is existing vulnerability detection tools for Android apps are very limited in their ability to detect known vulnerabilities --- all of the evaluated tools together could only detect 30 of the 42 known unique vulnerabilities. More effort is required if security analysis tools are to help developers build secure apps. We hope the observations from this evaluation will help app developers choose appropriate security analysis tools and persuade tool developers and researchers to identify and address limitations in their tools and techniques. We also hope this evaluation will catalyze or spark a conversation in the software engineering and security communities to require more rigorous and explicit evaluation of security analysis tools and techniques.
In text/plain format

Archived Files and Locations

application/pdf  1.0 MB
file_fr4x2cosfzhd5alj3fk7v3rere
arxiv.org (repository)
web.archive.org (webarchive)
Read Archived PDF
Preserved and Accessible
Type  article
Stage   submitted
Date   2018-12-01
Version   v5
Language   en ?
arXiv  1806.09059v5
Work Entity
access all versions, variants, and formats of this works (eg, pre-prints)
Catalog Record
Revision: 1085f827-69b6-49ba-8d3c-ae6e604a7bb5
API URL: JSON