Abstract

Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.

Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Similar Papers

Paper Title
Journal
Date
Author
ICCBot: Fragment-Aware and Context-Sensitive ICC Resolution for Android Applications
Jiwei Yan ... Shixin Zhang
-
Jiwei Yan, et. al.Jiwei Yan ... Shixin Zhang
01 May 2022
Dissecting Android Inter-component Communications via Interactive Visual Explorations
John Jenkins ... Haipeng Cai
-
John Jenkins, et. al.John Jenkins ... Haipeng Cai
01 Sep 2017
RAICC: Revealing Atypical Inter-Component Communication in Android Apps
Jordan Samhi ... Jacques Klein
-
Jordan Samhi, et. al.Jordan Samhi ... Jacques Klein
01 May 2021
Communication-based attacks detection in android applications
Chuan Ma ... Dongkui Liang
Tsinghua Science & Technology | VOL. 24
Chuan Ma, et. al.Chuan Ma ... Dongkui Liang
01 Oct 2019
View more papers

More From: Empirical Software Engineering

Paper Title
Journal
Date
Author
Systematic Evaluation of Deep Learning Models for Log-based Failure Prediction
Fatemeh Hadadi ... Lionel Briand
Empirical Software Engineering | VOL. 29
Fatemeh Hadadi, et. al.Fatemeh Hadadi ... Lionel Briand
20 Jun 2024
A comprehensive analysis of challenges and strategies for software release notes on GitHub
Jianyu Wu ... Minghui Zhou
Empirical Software Engineering | VOL. -
Jianyu Wu, et. al.Jianyu Wu ... Minghui Zhou
20 Jun 2024
A literature review and existing challenges on software logging practices
Mohamed Amine Batoun ... Heng Li
Empirical Software Engineering | VOL. 29
Mohamed Amine Batoun, et. al.Mohamed Amine Batoun ... Heng Li
18 Jun 2024
OpenSCV: an open hierarchical taxonomy for smart contract vulnerabilities
Fernando Richter Vidal ... Nuno Laranjeiro
Empirical Software Engineering | VOL. 29
Fernando Richter Vidal, et. al.Fernando Richter Vidal ... Nuno Laranjeiro
18 Jun 2024
View more papers