Professional Documents
Culture Documents
To cite this article: Francesco Bergadano, Milena Boetti, Fabio Cogno, Valerio Costamagna,
Mario Leone & Marco Evangelisti (2020): A modular framework for mobile security analysis,
Information Security Journal: A Global Perspective, DOI: 10.1080/19393555.2020.1741743
Article views: 10
View Crossmark
data
Full Terms & Conditions of access and use can be found at
https://www.tandfonline.com/action/journalInformation?journalCode=uiss20
2 F. BERGADANO ET AL.
widely used because many static approaches are the potential security flaws of an app is often
implemented on top of frameworks such as Soot a difficult and time-consuming process, requiring
(Lam et al., 2011) and WALA (Dolby et al., 2015). skilled personnel and deep insights. It should be
In fact, they provide some facilities for construct- performed by a team of experts who are separate
ing of the call-graph (Li et al., 2017) and other and independent from the development team, it
features for analyzing Android bytecode, e.g., should be repeated periodically, and for every new
points-to analysis, data-flow analysis (Allen & release. This is the theory. In practice, this easily
Cocke, 1976; Fosdick & Osterweil, 1976), control- results in costs that are comparable to the devel-
flow graph. However, static analysis methods have opment costs. This is unacceptable for the clients,
some known limitations: they lead to over- also because of time constraints (the so-called
approximations, because all the code is analyzed, “rush to release”), that has motivated recent ana-
including dead code, and it is undermined by the lysis tools and platforms (Amin et al., 2019;
use of code transformation techniques such as MobSF, 2019; MwrLabs, 2019b; Qark, 2019;
obfuscation, Java Reflection, and dynamic code Zheng et al., 2017). When the approach is made
updates. extreme and totally automated, there is a risk of
On the other hand, dynamic analysis methods producing low quality analyses, where some vul-
execute the application in a protected environment nerabilities are never found, and/or too many are
and inspect its interaction with the system, in found that are almost always false positives, lead-
order to understand its behavior. A typical ing developers to ignore their outcome. We pro-
dynamic analysis process executes the target func- pose a semi-automated approach, where our tool is
tion, monitors the flow of sensitive data and seen as a weapon in the hands of the analyst,
reports the possible data leaks through method speeding up the process and reducing the costs.
tracers or dynamic taint analysis. An example of The approach follows the OWASP Mobile Security
a tool for pure dynamic analysis is given by Testing Guide (github.com/OWASP, 2017),
TaintDroid (Enck et al., 2014); it implements a comprehensive guide for mobile application
a dynamic taint analysis in order to track how security, that describes the technical process for
private information is propagated during the verifying the security requirements of mobile
execution of the app. Unfortunately, dynamic applications.
approaches also have some limitations. It is gen-
erally difficult to cause the execution of all mobile ● Integration of static and dynamic analysis
application paths, as this amounts to a particular
case of the code coverage problem. As
a consequence, dynamic analysis tends to produce We have created a practical implementation of
false negatives because some malicious paths may a hybrid, integrated static/dynamic app analysis
be missed. In particular, if we consider the execu- approach (section 2), descending from the concept
tion of an Android application, it is event-based of dynamic hooking and app instrumentation, and
with asynchronous and multiple entry points. It is based on recent previous research (see section 5). In
very hard to trigger all those events, even with fact, app analysis cannot be only static because of the
tools like Monkey (Android.com, 2019m). high variability of dynamic behavior depending on
The present research provides the following the real-world context, and because there is not
contributions: a linear start-to-stop flowchart of the execution,
and the app functionalities may be triggered from
● App analysis business process external events and smartphone components (e.g.,
messages, telephone, camera, user interaction).
Long-term consulting experience by some of the Dynamic analysis, on the other hand, suffers from
authors has led them to understand the main code coverage difficulties and app component inter-
difficulties that arise when proposing and execut- action. Our method injects analysis components into
ing a security analysis of a mobile app. Analyzing the apps, based on static analysis, and executes
them
at runtime (hence in the execution context.
dynamically) in order
to detect security flaws ● Partial automation
INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVE 3
to make it easy for
experimentation and Our approach has the
The intent of the developers and analysts
represent a core set of purpose of partially
approach is to provide to build new test cate-
tools that are already automating the analysis
a more effective and gories and include them
available in the of mobile applications,
more automated tool in the provided frame-
framework. The in order to cover more
for the process of work. The framework
modules are discussed vulnerabilities in an all-
vetting applications, also takes care of
in detail in section 3. in-one tool. The frame-
when compared to routinary duties, such
work is based on a
other existing hybrid as establishing a
● Experimentation combination of static
approaches. This is connection to the
and dynamic analysis –
done by ana- lyzing a device, and activate the
With the present it is therefore based on
pre-determined list of services that are
framework, we have a hybrid approach. With
vulnerability classes, necessary for the test.
tested a set of 105 apps its powerful modules
that can be tailored to a The analyst developing
downloaded from the and effective interface,
particular applica- tion a new test can then
Google Play Store. it is possible to improve
context and risk concentrate on the
The corresponding the overall accuracy of
profile. The analyst purpose of the test itself
experimental results the analy- sis, increase
can rely on the tool in w.r.t. security
are reported in section code coverage, and
order to execute steps requirements.
4. These days find additional
that would otherwise individuals share vulnerabilities.
be time-consuming. ● The modules personal data more
We provide a than ever before, that
helpful graphic A major contribution of 2.1. Methodology
is, every time they use
interface that can be this research consists of : a modular and
an online service, such
used both for setting the modules, that extensible
as e-commerce, or
up the needed tests and implement fundamental framework
online banking
for producing a proof security analysis for the applications. We The intent of the
report, to be validated apps, and are integrated collected especially approach is to provide
and enhanced by the in the proposed applications belonging a tool that can be
analyst. framework. The most to categories like useful in the process of
important are shopping, finance, and vetting applications. It
● Extensible and SecureFlag, social networks. Our is based on the
modular SharedPreferences, results show that it is OWASP reports and
architecture and Clipboard. This necessary to increase guidelines for mobile
corresponds to security the awareness on cyber security. In particular,
Based on the OWASP best practices sug- security for both the approach adopts, as
classification and gested by OWASP mobile app developers a security guideline,
rating of mobile when developing and mobile users. The the OWASP report on
vulnerabilities mobile apps. The results also show that the new vulnerability
(Owasp.org, 2019), the modules were found to tools such as the statistics in the field of
fra- mework follows a be effective during the proposed framework mobile applications:
modular approach, can be effective for the latest “OWASP
where each module analyzinga large Mobile Top 10”
addresses a number of mobile (Owasp.org, 2019).
corresponding type of apps, and then isolating This covers 10 cate-
vulner- ability, vulnerabilities and gories that contain the
allowing for easier security criticalities in most common and
maintenance and a semi-automated way. most severe
exten- sibility. Every vulnerabilities. The
module can execute a classification of
2. Materials and
specific test, and the vulner- abilities into an
methods
tool is designed so as ordered list, based on
4 F. BERGADANO ET AL.
a Python web framework, and its implementation of store, used in this context as a message queue, that
the WebSocket protocol (Websocket.org, 2019). implements the publish/subscribe messaging para-
WebSockets allow for bidirectional communication digm (Eugster et al., 2003). In this case, the
between modules and Services, and also for intra- publish- ers, i.e., the senders of the messages, are
module communications. Services, like Frida, the services, while the subscriber is the WebSocket.
Proxy, and Fridump, allow for the collection and In this way, specific collected data can be used by
delivery of dynamic data generated by a running several request- ing modules. WebSocket enables
application. This mechanism is achieved through the routing of mes- sages to the correct module.
Redis (Redis.io, 2019), an open-source in-memory Finally, the database component is implemented
data structure with the SQLite library –
its main purpose is to maintain a report for the end of the analysis.
One of the contributions of the paper is the pro- and restore infrastructure (Android.com, 2019i).
posed framework architecture: highly modular, exten- The default value of this attribute is set to true,
sible, and integrating static and dynamic analysis in thereby allowing to save, via ADB, all the applica-
a partially atuomated tool. To turn this high-level tion’s data and settings. However, if this attribute
architecture into a real tool, a number of modules is set to false no backup of the application will ever
where implemented, based on OWASP guidelines be performed. If backup is allowed, the module
and vulnerability listings. The modules then also con- will try to execute the function through the
stitute an important contribution of this research: they “Android Debug Bridge” (ADB).
are described in the next section, while their use in an This module aims at verifying the value of the tag
experimental setting is analyzed in section 4. android:allowBackup by inspecting the
Each module is designed in order to deal with AndroidManifest of the tested application. If the
a specific vulnerability. It can be static, dynamic, value is set to true, it tries to execute the backup
or a combination of both. Each module, in turn, through ADB. The backup may cause the leak of
consists of a computing unit, a visualization unit, sensitive data stored by the app. The analyst remains
a configuration unit, and, in some cases, a unit responsible for inspecting the backup and analyze it
represented by Frida’s dynamic scripts. The com- in order to find any kind of sensitive information.
puting unit processes data arriving from the ser- According to OWASP, no sensitive data should
vices or from the manifest, carrying out the actual be present in backups generated by the mobile
analysis. The view unit is responsible for showing operating system.
the results of the analysis through the graphic
interface. The two components communicate via
WebSocket and allow for real-time analysis. The 3.2. Android debug
configuration unit determines the module proper- The “Android debug” module checks whether an
ties and the services it uses. app allows for debugging by inspecting the
The framework architecture allows other analysts Android Manifest’s tag android:debuggable. If set
to develop additional modules and easily integrate to true, it allows to attach a debugger to an appli-
them in the tool, sharing the tool’s primitives, cation even when running on a device in user
device handling capabilities, use interface for mode (Android.com, 2019k). Otherwise, debug-
setting up the tesing context, and ging is not allowed.
reporting/visualization compo- nent. Since the The default value is false and in a release build
modules represent one main contri- bution of the this value must be set to false. This module aims at
research, we will now list them and provide some verifying the value of this tag by inspecting the
details about their functionalities. AndroidManifest, the result is presented to the
analyst through the user interface.
3. The modules
The modules that have been developed up to now 3.3. APK manifest
mainly concern the security requirements of
The module “APK manifest” checks for permis-
Android applications and are described below.
sions that are declared in the Android Manifest,
categorizing them as high (i.e., critical), medium
3.1. Android backup or good (In compliance with the Android best
practices). Moreover, it checks if the app performs
The “Android Backup” module checks whether the
HTTP/S requests without having the Internet
app allows for backups. In fact, Android offers the
permission.
possibility to perform a full-system backup, when
Because each Android app operates in a sandbox,
it is configured to do so. The AndroidManifest tag
apps must explicitly request access to resources and
android:allowBackup allows to specify whether to
data outside their sandbox. They request this access
allow the application to participate in the backup
by declaring the permission they need in the
AndroidManifest. Permissions are classified by
Android in three protection levels, i.e., Normal, From a security point of view, the application
Signature, and Dangerous permissions (Android. should be able to access only the information and
com, 2019g). resources that are necessary for its purpose (i.e., the
principle of least privilege). Therefore, it should be
3.5. Root detection
checked if permissions are really needed within the
app, and removed from the Manifest otherwise. The The “Root detection” module statically checks if
aim of this module is to check what permissions are the application implements common root detec-
declared in the Android Manifest, categorizing them tion techniques. The goal of this kind of techni-
as High (i.e., critical), Medium or Good. More in ques should be to make it a bit more difficult to
detail, Good permissions are those with very little run the application on a rooted device. However,
risk for the user’s privacy or for the operations of typically, for a better user experience, they are
other apps (e.g., SET_ALARM, SET_WALLPAPER, limited to a static verification which does not
ACCESS_NETWORK_STATE, etc.). High and hinder any operation or functionality of the
Medium permission are those that involve the application. For this reason, this module inspects
user’s private information or could potentially affect if the application implements a file existence
the user’s stored data or the operations of other apps check for files typically found on rooted devices,
(e.g., READ_CONTACTS, RECORD_AUDIO, such as package files of common rooting apps
CAMERA, CALL_PHONE, etc.). The and associated files. In fact, on a rooted phone,
ACCESS_MOCK_LOCATION permission is consid- reverse engineering techniques can be applied
ered as a High risk permission, because the app is more easily. The evidence is displayed to the
allowed to override the location and/or status analyst; obviously, it is still necessary to verify
returned by other location sources such as GPS or dynamically whether such techniques actually
location providers. Malicious applications can block the execution of the entire application.
exploit this permission.
were deprecated in the API level 17. The storing sensitive data, because, by default, they are
MODE_PRIVATE is the default mode; the created insecure and unencrypted. All of these security
object can only be accessed by the application. concerns are checked by the module, with the help
OWASP suggests to avoid Shared Preferences for of dynamic analysis and the implementation of a
Frida script. The second part of the script allows to dynami-
First of all, with this script the module is able to cally intercept, during application execution, if sen-
scan the process memory, in order to find Shared sitive information is written, in clear text, in the
Preferences objects, and retrieve their names and Shared Preferences files. To this end, our script
their mode (i.e., the name of the.xml file and the starts by intercepting calls to the function open of
file creation mode). This functionality is achieved the standard C library libc.so (see Listing 1). This is
through the Frida API Java.choose, that enumer- performed through the Frida API Interceptor. More
ates live instances of the Android class in detail, only the calls to the function open on
SharedPreferencesImpl.java. Shared Preferences files are intercepted and, for
each of them, the path name and also the return
value (i.e., the file descriptor) are stored. In parallel,
calls to the function write, also in the C library, are
intercepted and, with the aforementioned file
descriptor, it is possible to filter only the calls of
interest. Then, it is possible to retrieve data written
by the function. When a file is closed, the call to
the close function, of the C library, is intercepted,
too.
3.9. Clipboard type in text fields, on a mobile device, they are able
to use the Clipboard’s functionalities (e.g., copy and
The “Clipboard” module inspects what clipboard
paste). Android provides a powerful Clipboard
functionalities (i.e., copy and paste) are available
framework for these features (Android.com, 2019j),
in each text field of the application. When users
and it supports both simple and complex data types.
In this case the most important aspects are that
First of all, to test the Clipboard’s functionality
copying and pasting work both within single
for a text field it is necessary that some data, or,
application and between different applica- tions, more precisely, a clip object is already present in
and that they hold only one clip object at a the Clipboard. Since one of the main aims of the
time. present framework is automation, it is necessary
However, this also means that the Clipboard is that this operation is done by the module itself at
public and accessible to all the running processes its start. This is exactly the purpose of the first
without the need of any special permission or script. The script deals with inserting an alphanu-
interaction with the user. From a security point meric text string into the Clipboard (step 1,
of view this globally accessible nature can intro- Figure 4). At the end of this operation it sends
duce risks (Zhang & Du, 2014). a message to the computing unit of the module to
The module aims at inspecting which clipboard indicate the achievement of the operation, this
functionalities are available in each text field of the hook is released, and a second script is attached
application. This is because, as suggested by (its use will be explained later). At this point the
OWASP, the clipboard functionalities should be third and fourth scripts come into play. The aim of
disabled for text fields that process private the third script is, in fact, to retrieve the coordi-
information. nates of the touched text field. More precisely, the
To achieve this purpose the module is quite script returns the original raw X and Y coordinates
complex. Four of Frida’s dynamic scripts have of the touch event on the screen (step 3, Figure 4).
been implemented, and their behavior is repre- This is done through the methods getRawX and
sented in Figure 4. getRawY of the Java Android class MotionEvent
(Android.com, 2019l). These coordinates are
returned only if the touch event is performed on
an object of the class EditText (Android.com,
2019d). If a name has been associated, by the
developer, to this text field, it is also retrieved.
Then, the aim of the third script is to trace the
methods CanPaste and CanCopy of the Java
Android Class TextView (Android.com, 2019e).
The analyst, in order to know which clipboard’s
functionalities are available on a specific text field
is to perform data encryption over HTTPS, when All the information collected by the proxy is
certificate pinning is not implemented. forwarded and processed by the computing and
To achieve this purpose the module analyzes the visualization unit. Through the graphic interface
header and the body of HTTP requests. This is the analyst can inspect each intercepted domain,
achieved by launching an MITM attack with the and search for sensitive data inside the http
mitmproxy, as show in Figure 5. More in detail, request through regular expressions or keywords.
the analysis of the header allows to verify that
cryptographic techniques considered to be vulner-
able (e.g., SSL v2 and v3) have not been used.
Moreover, the analysis of the body allows to eval- 3.14. Logcat
uate if sensitive data are present in clear text The “Logcat” module examines the application
within the HTTP requests. logs to determine whether sensitive information
To perform the test, the analyst must start the is present. Log files are created on a mobile device
application and navigate it. In this way the proxy for debug purposes and then disabled when the
starts to collect data. Each new http request is application is released on the store. From
processed, and the domain is extracted. At this a security point of view, it is important to avoid
point, if the application does not implement certi- logging sensitive data. This is because such data
ficate pinning for that domain, the mitmproxy is may be exposed to malicious applications. The
able to analyze the header and the body. analysis is performed with ADB Logcat. The out-
Otherwise, a possible solution to overcome the put is very verbose. As a consequence logs are
problem could be to introduce a Frida script to filtered by the application, with the Unix com-
bypass the pinning. Obviously further tests and mand grep, and included in the output reports
refinements are needed. through the graphical interface.
4. Results and evaluation results. In particular, we provide the results obtained
from the following modules: Android Backup, Root
In this section we present the experimentation work
Detection, Secure Flag, SharedPreferences, SQLite,
done until now, that has led to some interesting
Clipboard.
In the experimentation process, two rooted
● based on the previous analysis, we focused on
phones have been used. A OnePlus 3 T with
the following app categories: Shopping,
Android 7.1.2 and a Google Nexus 5X with the
Finance & Bank, Cryptocurrency, Social,
same Android version. Frida’s version 10.6.3 was
Travel, and Communications;
used in this experimentation. The experiments
● for each such category we selected the most
were carried out using a set of 105 apps, and the
popular apps suggested by the Google Play
method for selecting those apps is detailed below.
Store;
● since many apps in the Finance & Bank cate-
gory require the opening of real banking
accounts to be used and then tested, we
4.1. App selection method
were forced to exclude such apps, and replace
The approach followed in this paper aims at them with others that did not cause this lim-
a combination of dynamic and static analysis and itations, by scrolling down in the popularity-
has a goal of partial automation. This means that ordered list of apps in the corresponding
for each app that has been selected, a significant category;
amount of manual inspection is still necessary. As ● similarly, some apps had to be removed from
a consequence, we decided to select a good num- the set, and substituted by others in that same
ber of apps (more than a hundred), that could not category, because they were protected against
have been inspected by purely manual methods dynamic hooking (a key component of our
with reasonable time and budget limitations. Yet, approach), and consequently they could not
we could not target thousands of apps, as it would be tested using our tool. This happened in
be necessary for a totally automated tools. We a very limited number of cases, and this
believe that this “ in medio stat virtus” approach should also be considered and interesting by-
is very adequate for app evaluation, were clients product of out experimentation, because one
could claim that this type of protection
cannot afford to spend as much effort in security
should actually be adopted by a large majority
analysis as they have for the development phase.
of apps, so as to avoid third-party analysis,
Yet, totally automatic evaluation fails to capture
reverse engineering, and other actions rele-
many vulnerabilities and/or generates a high per-
vant for integrity and security.
centage of vulnerabilities that are false positive or
cannot truly be exploited. The app selection We believe that the set of apps resulting from the
method was based on the following steps: above selection process is highly representative
and constitutes a good test-bed for security-
● we collected the apps from the Google Play oriented testing.
Store, for the Italian country;
● we identified applications contexts that would
4.2. Evaluation
be relevant w.r.t. user privacy, like travel and
shopping, and security-critical actions, like For each module that was tested, we now show the
payments, as well as applications with a high main results obtained. Consider that a total num-
degree of interaction among users, like social ber of 105 applications were tested, but some of
networks; them (a small portion) protected themselves by
preventing their reverse compilation and/or
dynamic hooking. Therefore, the tests failed to
produce results in these cases.
a control for root detection. However, this is not as particularly sensitive data, should be more restric-
positive as one might think. We found, through tive with respect to this kind of control.
the subsequent dynamic analysis, that only two
applications really prevented their usage with 4.2.2. Backup
rooted devices. In this specific case, the application For the Backup Module, a first analysis on the
interrupted its execution. Most applications whole set of tested applications shows that 49%
choose to make this kind of control without of them allow to participate in the backup and
a real impact on usability for the end user. The restore infrastructure, while the residual 51%
presence of the root can allow untrusted security does not provide these features. Unfortunately,
decisions to be made, and thus increase the num- like many other useful functionalities, this kind
ber of possible attack vectors. This evidence is of automatic backup is not free from security
particularly important when considering the appli- concerns. Figure 7 shows the results obtained by
cations that belong to the Finance & Bank cate- the module, divided by category. The categories
gory. This kind of category, in which apps hold which are most affected by this vulnerability
appear to be Shopping Online and Cryptocurrency. recommendation. This means that most applica-
As a consequence, an important recommendation tions are vulnerable to the screen capture via UI
in order to maintain the security and privacy of overlays, as investigated by MWRLabs (Menezes,
user data is to disable the backup functionality. 2019).
This is particularly important for those applica- Figure 8 highlights the app categories which
tions that handle sensitive information, such as compose the 6% of insecure applications. Among
payment details. On the other hand, positive the analyzed applications only the Finance & Bank
results are found for the categories Finance & category seems to be sensitive to the described
Bank and E-Mail & Work. vulnerability. Nevertheless, the result cannot be
considered fully positive. Indeed, more than half
4.2.3. SecureFlag of the visited views are not treated as secure (47%
The most alarming results are given by the secure, against 53% not secure). Therefore, this
SecureFlag Module. As it can be seen in the right- kind of applications may reveal information like
hand side of Figure 6, 94% of the tested user accounts and financial transactions. More
applications treat Windows content as secure generally, the results show that the most exposed
and do not prevent it from appearing in screen- data are sign-in and sign-up information, payment
shots; only 6% of them follow this important details, and other personal information.
analysis or they add a dynamic analysis module belong two of the most well-known tools, JAADAS
driven by the findings of the static engine. (JAADAS, 2019) and Androguard (Github.com/
androguard, 2011), as well as apk-tool (Apktool,
5.1. Static analysis 2019). The former aims to provide a soot-based
framework for inter-procedural analysis, with the
The security research community proposed several purpose of finding taint-style vulnerabilities, while
static analysis frameworks, especially for Android: the latter offers a comprehensive framework for
DroidSafe (Gordon et al., 2015), FlowDroid (Arzt Android application reverse engineering. The main
et al., 2014), AndroidLeaks (Gibler et al., 2012), difficulties in this area often arise from code obfus-
CHEX (Lu et al., 2012), IccTa (Li et al., 2015) and cation techniques used by the app developers (Bacci
IC3 (Octeau et al., 2016), just to mention a few of et al., 2018). In this work, the authors show that
them, and some for iOS, such as (Egele et al., 2011). malware detection systems based on static analysis
They differ in terms of the adopted techniques and of are more accurate than dynamic approaches on
the granularity of the analysis, e.g., control-flow, non- obfuscated samples, but are negatively
data- flow and points-to analysis. Yet, SAAF affected by obfuscation to a greater degree. In
(Static Analysis Android Framework) (Hoffmann et another reverse engineering approach, the
al., 2013), proposed by Hoffman et al., provides SmaliSCA framework
program slicing on smali code. Taint analysis, a kind (https://github.com/dorneanu/smalisca) has been
of data- flow analysis, is frequently used. proposed, that provides a set of tools that help in
Most of the published tools aim to address visualizing and managing the call flow and the
generic threats for mobile applications (i.e., taint- inter- action patterns of the application being
style vul- nerabilities) or provide frameworks that analyzed.
ease the process of reverse engineering. In this As for static methodologies that are more
category relevant in the present context, we identified the
following published tools, that provide a
comprehensive
analysis of mobile application via leveraging only achieve dynamic
on static analysis approaches.
7. Conclusions
ORCID
In this paper, we presented a new approach and
a corresponding framework for the analysis of Francesco Bergadano http://orcid.org/0000-0003-2567-
mobile applications. Our methodology is modular 336X
and is based on a combination of static and
dynamic analysis, with a particular emphasis on
partial automation. The methodology is based on
the reports and guidelines published by OWASP
for the security of mobile applications. The main
References windowmanager.layout- params. Retrieved June 07 2019,
from https://developer.
Ahmad, M., Costamagna, V., Crispo, B., & Bergadano, F. android.com/reference/android/view/WindowManager.
(2017). Teicc: Targeted execution of inter-component LayoutParams.html#FLAG_SECURE
communications in android. Proceedings of the Android.com. (2019c). Android debug bridge (adb).
symposium on applied computing (pp. 1747–1752). Retrieved June 07, 2019, from
Ahmad, M., Costamagna, V., Crispo, B., Bergadano, F., & https://developer.android.com/studio/ command-
Zhauniarovich, Y. (2020). StaDART: Addressing the line/adb.html
pro- blem of dynamic code updates in the security Android.com. (2019d). Android java class edittext. Retrieved
analysis of android applications. Journal of Systems and June 07, 2019, from https://developer.android.com/refer
Software, 159, [110386]. ence/android/widget/EditText.html
https://doi.org/10.1016/j.jss.2019.07.088 Android.com. (2019e). Android java class textview. Retrieved
Ali-Gombe, A. I., Saltaformaggio, B., Ramanujam, J., Xu, June 07, 2019, from https://developer.android.com/refer
D., & Richard, G. G., III. (2018). Toward a more ence/android/widget/TextView.html
dependable hybrid analysis of android malware using Android.com. (2019f). Android packagemanager. Retrieved
aspect- oriented programming. Computers & Security, June 07, 2019, from https://developer.android.com/refer
73, 235–248. https:// doi.org/10.1016/j.cose.2017.11.006 ence/android/content/pm/PackageManager.html
Allen, F. E., & Cocke, J. (1976). A program data flow Android.com. (2019g). Android permissions. Retrieved
analysis procedure. Communications of the ACM, 19(3), June 07, 2019, from https://developer .android.com/
137. https://doi.org/10.1145/360018.360025 guide/topics/permissions/overview
Amin, A., Eldessouki, A., Magdy, M. T., Abdeen, N., Android.com. (2019h). Android storage options. Retrieved
Hindy, H., & Hegazy, I. (2019). AndroShield: June 07, 2019, from https://developer.android.com/refer
Automated android appli- cations Vulnerability detection, ence/android/content/Context.html#MODE_WORLD_
a hybrid static and dynamic analysis approach.MDPI WRITEABLE
Information, 10(10), article 326, Android.com. (2019i). Auto backup for apps. Retrieved
pages 1-16. https://doi.org/10.3390/info10100326 June 07, 2019, from https://developer.android.com/guide/
Android.com. (2019a). The activity lifecycle. topics/data/autobackup.html
Retrieved Android.com. (2019j). Copy and paste. Retrieved June 07,
June 07, 2019, from https://developer.android.com/guide/ 2019, from https://developer.android.com/guide/topics/
components/activities/activity-lifecycle.html text/copy-paste.html
Android.com. (2019b). Android class
Android.com. (2019k). Declaration of the application. systems, applications, and services (pp. 239–252).
Retrieved June 07, 2019, from https://developer.android. Continella, A., Fratantonio, Y., Lindorfer, M., Puccetti, A.,
com/guide/topics/manifest/application-element.html Zand, A., Kruegel, C., & Vigna, G. (2017). Obfuscation-
Android.com. (2019l). Motioneevent. Retrieved June 07, resilient privacy leak detection for mobile apps through
2019, from differential analysis. Proceedings of the isoc network and
https://developer.android.com/reference/android/ distributed system security symposium (ndss) (pp. 1–16).
view/MotionEvent.html Costamagna, V., & Bergadano, F. (2016). Hookdroid: Dalvik
Android.com. (2019m). UI/application exerciser monkey dynamic instrumentation for security analytics. Int J. on Inf.
(monkey tool). Retrieved June 07, 2019, from https://devel Tech. and Security, 8(3), 39–52.
oper.android.com/studio/test/monkey.html Desnos, A., & Lantz, P. (2014). Droidbox: An android appli-
Apktool. (2019). Apktool: Tool for reverse engineering cation sandbox for dynamic analysis (2011). https://code.
android apk files. Retrieved June 07, 2019, from google. com/p/droidbox
https://ibotpeaches. github.io/Apktool/ Dolby, J., Fink, S. J., & Sridharan, M. (2w0a1t5so).n Tj
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., libraries for analysis (wala). http://wala. sf. net
Klein, J., Le Traon, Y., Octeau, D., & McDaniel, P. Egele, M., Kruegel, C., Kirda, E., & Vigna, G. (2011). Pios:
(2014). Flowdroid: Precise context, flow, field, object- Detecting privacy leaks in ios applications. Ndss.
sensitive and lifecycle-aware taint analysis for android Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G.,
apps. Acm Sigplan Notices, 49(6), 259–269. Cox, L. P., Jung, J., McDaniel, P., & Sheth, A. N. (2014).
https://doi.org/10.1145/2666356 Taintdroid: An information-flow tracking system for real-
Bacci, A., Bartoli, A., Martinelli, F., Medvet, E., Mercaldo, time privacy monitoring on smartphones. ACM Transactions
F., & Visaggio, C. A. (2018, 1). Impact of Code on Computer Systems (TOCS), 32(2), 5.
Obfuscation on Android Malware Detection based on https://doi.org/10.1145/2642648
Static and Dynamic Analysis. (pp. 379–385). Eugster, P. T., Felber, P. A., Guerraoui, R., & Kermarrec, A.-
CapFuzz. (n.d.). Capfuzz - capture, intercept, fuzz. Retrieved M. (2003). The many faces of publish/subscribe. ACM
June 07, 2019, from https://github .com/MobSF/CapFuzz, Computing Surveys (CSUR), 35(2), 114–131. https://doi.
note org/10.1145/857076
Chin, E., Felt, A. P., Greenwood, K., & Wagner, D. (2011). Fosdick, L. D., & Osterweil, L. J. (1976). Data flow analysis in
Analyzing inter-application communication in android. software reliability. ACM Computing Surveys (CSUR), 8(3),
Proceedings of the 9th international conference on mobile 305–330. https://doi.org/10.1145/356674.356676
Frida.re. (2019). FRIDA dynamic instrumentation toolkit. assessment for android application. Retrieved June 07,
Retrieved June 07, 2019, from https://www.frida.re/ 2019, from https://github.com/flankerhqd/JAADAS
Fridump. (2019). Fridump open source memory dumping Lam, P., Bodden, E., Lhoták, O., & Hendren, L. (2011). The
tool. Retrieved June 07, 2019, from https://github.com/ soot framework for java program analysis: A retrospective.
Nightbringer21/fridump In Cetus users and compiler infrastructure workshop
Garg, S., Singh, R., & Mohapatra, A. (2019). Analysis of (cetus 2011), Purdue University, (Vol. 15, pp. 35).
software vulnerability classification based on different Li, L., Bartel, A., Bissyandé, T. F., Klein, J., Le Traon, Y.,
technical parameters. Information Security Arzt, S., … McDaniel, P. (2015). Iccta: Detecting inter-
Journal: A Global Perspective, 28(1–2), 1–19. component privacy leaks in android apps. Proceedings of
https://doi.org/10. 1080/19393555.2019.1628325 the 37th international conference on software engineering-
Gibler, C., Crussell, J., Erickson, J., & Chen, H. (2012). volume 1 (pp. 280–291).
Androidleaks: Automatically detecting potential privacy Li, L., Bissyandé, T. F., Papadakis, M., Rasthofer, S.,
leaks in android applications on a large scale. International Bartel, A., Octeau, D., Klein, J., & Traon, L. (2017). Static
confer- ence on trust and trustworthy computing (pp. 291– analysis of android apps: A systematic literature review.
307). Information and Software Technology, 88, 67–95. https://
Github.com/androguard. (2011). Androguard. Retrieved doi.org/10.1016/j.infsof.2017.04.001
June 07, 2019, from https://github.com/androguard/andro Lin, Y.-C. (2015). Androbugs framework: An android
guardgithub.com/ applica- tion security vulnerability scanner. UBM Tech,
Github.com/OWASP. (2019m). obOilwe asappplication Blackhat Europe 2015.
security verification standard. Retrieved June 07, 2019, Lu, L., Li, Z., Wu, Z., Lee, W., & Jiang, G. (2012). Chex:
from https://github.com/OWASP/owasp-masvs Statically vetting android apps for component hijacking
Gordon, M. I., Kim, D., Perkins, J. H., Gilham, L., vulnerabilities. Proceedings of the 2012 acm conference on
Nguyen, N., & Rinard, M. C. (2015). Information flow computer and communications security (pp. 229–240).
analysis of android applications in droidsafe. Ndss. Menezes, A. (2019). A screen capture via UI overlays in
Hoffmann, J., Ussath, M., Holz, T., & Spreitzenbarth, M. mediaprojection. Retrieved June 07, 2019, from https://
(2013). Slicing droids: Program slicing for smali code. labs.mwrinfosecurity.com/advisories/screencapture-via-ui-
Proceedings of the 28th annual acm symposium on overlays-in-mediaprojection/
applied computing (pp. 1844–1851). Merlo, A., & Georgiu, G. C. (2017). Riskindroid: Machine
JAADAS. (2019). Joint advanced application defect learning-based risk analysis on android. Ifip international
conference on ict systems security and privacy protection (pp. Schmich, C. P., & Huene, P. C. (2012, June 28). Dynamic
538–552). instrumentation of software code. Google Patents. (US Patent
Mitm. (2019). Mitmproxy. Retrieved June 07, 2019, from App. 12/975,363).
https://mitmproxy.org/ Shahriar, H., Zhang, C., Dunn, S., Bronte, R., Sahlan, A., &
MobSF. (2019). Mobile security framework (MobSF). Tarmissi, K. (2019). Mobile anti-phishing: Approaches and
Retrieved June 07, 2019, from https://github.com/MobSF/ challenges. Information Security Journal: A Global
Mobile-Security-Framework-MobSF Perspective, 28(6), 178–193. https://doi.org/10.1080/
MwrLabs. (2019a). Drozer. Retrieved June 07, 2019, from 19393555.2019.1691293
https://github.com/mwrlabs/drozer
MwrLabs. (2019b). Needle. Retrieved June 07, 2019, from
https://github.com/mwrlabs/needle
Octeau, D., Luchaup, D., Jha, S., & McDaniel, P. (2016).
Composite constant prop agation and its application to
android program analysis. IEEE Transactions on Software
Engineering, 42(11), 999–1014. https://doi.org/10.1109/
TSE.2016.2550446
OWASP. (2017). Owasp mobile security testing guide.
Retrieved June 07, 2019, from https://github.com/
OWASP/owasp-mstg
Owasp.org. (2019). Owasp mobile top 10 2016. Retrieved
June 07, 2019, from https://www.owasp.org/index.php/
Mobile_Top_10_2016-Top_10
Pocoo.org. (2019). Flask, web development, one drop at a
time. Retrieved June 07, 2019, from http://flask.pocoo.org/
Qark. (2019). Tool to look for several security related android
application vulnerabilities. Retrieved June 07, 2019, from
https://github.com/linkedin/qark
Ravnas, O. A. V. (2019). Javascript API. Retrieved June 07,
2019, from https://www.frida.re/docs/javascript-api/
Redis.io. (2019). Redis. Retrieved June 07, 2019, from
https://redis. io/
Smalisca. (2019). Static analysis of smali files. Retrieved
June 07, 2019, from https://github.com/dorneanu/smalisca
Sounthiraraj, D., Sahs, J., Greenwood, G., Lin, Z., & Khan,
L. (2014). Smv-hunter: Large scale, automated detection of
SSL/TLS man-in-the-middle vulnerabilities in android
apps. Proceedings of the 21st annual network and distrib-
uted system security symposium (ndss 2014).
Statista.com. (2019). Average number of new android app
releases per day from 3rd quarter 2016 to 1st quarter 2018.
Retrieved June 07, 2019, from
https://www.statista.com/statistics/ 276703/android-app-
releases-worldwide/
Tornadoweb.org. (2019). Tornado.Retrieved June 07, 2019,
from http://www.tornadoweb.org/en/stable/index.html
Websocket.org. (2019). Websocket. Retrieved June 07,
2019, from http://www.websocket.org/index.html
Weiser, M. (1981). Program slicing. Proceedings of the 5th
inter- national conference on software engineering (pp.
439–449).
Xia, M., Gong, L., Lyu, Y., Qi, Z., & Liu, X. (2015).
Effective real-time android application auditing. Security
and priv- acy (sp), 2015 ieee symposium on (pp. 899–
914).
Yerima, S., Alzaylaee, M., & Sezer, S. (2019). Machine
learning-based dynamic analysis of Android apps with
improved code coverage. EURASIP Journal on
Information Security, 2019(4). https://doi.org/10.1186/
s13635-019-0087-1
Zhang, X., & Du, W. (2014). Attacks on android clipboard.
International conference on detection of intrusions and
mal- ware, and vulnerability assessment (pp. 72–91).
Zhauniarovich, Y., Ahmad, M., Gadyatskaya, O., Crispo, B.,
& Massacci, F. (2015). Stadyna: Addressing the problem of
dynamic code updates in the security analysis of android
applications. Proceedings of the 5th acm conference on
data and application security and privacy (pp. 37–48).
Zheng, T., Jianwei, T., Hong, Q., Xi, L., Hongyu, Z., &
Wenhui, Q. (2017, November). Design of automated
security assessment framework for mobile applications.
2017 8th ieee international conference on software
engineering and service science (icsess) (pp. 778–781).