Evaluation of Static Analysis Tools for Mobile App Security
Ayush Maharjan1,2, Nahida Sultana Chowdhury1,2* and Rajeev R Raje2
1Modern Software Engineering, DMI, USA
2Indiana University Purdue University Indianapolis (IUPUI), USA
*Corresponding Author: Nahida Sultana Chowdhury, Software Engineer, DMI, Indianapolis, IN, USA.
December 13, 2021; Published: January 18, 2022
With the large number of Android apps available in app stores such as Google Play, it has become increasingly challenging to find the secure Apps. Therefore, it is very important for users to consider the security and privacy issues while selecting an app from any public app store. Many static analysis tools can identify security and privacy-related vulnerabilities in any mobile app code by highlighting potential flaws, often offering examples to resolve these flaws, and may even modify the code to remove the susceptibilities. This paper empirically compares three publicly available static analysis tools for Android Apps and investigates their pros and cons using the Ghera benchmark.
Keywords: Static Code Analysis; Android; Mobile App; Security; Privacy
- Z Qu., et al. “Dydroid: Measuring dynamic code loading and its security implications in android applications”. In 2017 47th Annual EEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2017): 415-426.
- K Hamandi., et al. “Android SMS malware: Vulnerability and mitigation”. In 2013 27th International Conference on Advanced Information Networking and Applications Workshops (2013): 1004-1009.
- S Fahl., et al. “Why eve and Mallory love android: An analysis of android ssl (in) security”. in Proceedings of the 2012 ACM Conference on Computer and Communications Security, ser. CCS’12. New York, NY, USA: Association for Computing Machinery (2012): 50-61.
- “JAADAS Online”.
- “QARK Online”.
- “Androbugs Framework Online”.
- “Mobile Security Framework Online”.
- J Brittany., et al. “Why don’t software developers use static analysis tools to findbugs?” 35th International Conference on Software Engineering (2013).
- J Mitra and VP Ranganath. “Ghera: A repository of android app vulnerability benchmarks”. in Proceedings of Promise (2017).
- A Maharjan. “Ranking of Android Apps based on Security Evidences”. MS Thesis, IUPUI (2020).
- G Michael., et al. “Information-flow analysis of android applications in droid safe”. in NDSS Symposium, (2015).
- W Fengguo., et al. “Aman-droid: A precise and general inter-component data flow analysis framework for security vetting of android apps”. ACM Transactions on Privacy and Security (2018).
- “DIVA Android Online”.
- “Purposefully Insecure and Vulnerable android Application”.
- “DroidBench 2.0”.
- N S Chowdhury and R R Raje. “A holistic ranking scheme for apps”. 21st International Conference of Computer and Information Technology (2018).
- N S Chowdhury and R R Raje. “Disparity between the programmatic views and the user perceptions of mobile apps”. 20th International Conference of Computer and Information Technology (2017).
- N S Chowdhury and R R Raje. “SERS: A security-related and evidence-based ranking scheme for mobile apps”. IEEE International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications (2019).
- J Mitra and VP Ranganath. “Ghera Android App Vulnerabilities benchmark”.