Abstract
Data security and privacy of Android users is one of the challenging security problems addressed by the security research community. A major source of the security vulnerabilities in Android apps is attributed to bugs within source code, insecure APIs, and unvalidated code before performing sensitive operations. Specifically, the major class of app vulnerabilities is related to the categories such as inter-component communication (ICC), networking, web, cryptographic APIs, storage, and runtime-permission validation. A major portion of current contributions focus on identifying a smaller subset of vulnerabilities. In addition, these methods do not discuss how to remove detected vulnerabilities from the affected code. In this work, we propose a novel vulnerability detection and patching framework, Vulvet , which employs static analysis approaches from different domains of program analysis for detection of a wide range of vulnerabilities in Android apps. We propose an additional light-weight technique, FP-Validation, to mitigate false positives in comparison to existing solutions owing to over-approximation. In addition to improved detection, Vulvet provides an automated patching of apps with safe code for each of the identified vulnerability using bytecode instrumentation. We implement Vulvet as an extension of Soot. To demonstrate the efficiency of our proposed framework, we analyzed 3,700 apps collected from various stores and benchmarks consisting of various weak implementations. Our results indicate that Vulvet is able to achieve vulnerability detection with 95.23% precision and 0.975 F-measure on benchmark apps; a significant improvement in comparison to recent works along with successful patching of identified vulnerabilities.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.