Professional Documents
Culture Documents
article info a b s t r a c t
Article history: Android is nowadays the most popular operating system in the world, not only in the realm of
Received 3 March 2021 mobile devices, but also when considering desktop and laptop computers. Such a popularity makes
Received in revised form 14 July 2021 it an attractive target for security attacks, also due to the sensitive information often manipulated
Accepted 20 January 2022
by mobile apps. The latter are going through a transition in which the Android ecosystem is moving
Available online 31 January 2022
from the usage of Java as the official language for developing apps, to the adoption of Kotlin as the
Keywords: first choice supported by Google. While previous studies have partially studied security weaknesses
Security affecting Java Android apps, there is no comprehensive empirical investigation studying software
Android security weaknesses affecting Android apps considering (and comparing) the two main languages
used for their development, namely Java and Kotlin. We present an empirical study in which we: (i)
manually analyze 681 commits including security weaknesses fixed by developers in Java and Kotlin
apps, with the goal of defining a taxonomy highlighting the types of software security weaknesses
affecting Java and Kotlin Android apps; (ii) survey 43 Android developers to validate and complement
our taxonomy. Based on our findings, we propose a list of future actions that could be performed by
researchers and practitioners to improve the security of Android apps.
© 2022 The Authors. Published by Elsevier Inc. This is an open access article under the CC BY-NC-ND
license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
1. Introduction devoted efforts to improve the security of mobile OSs, devices and
apps.
Mobile apps and devices are nowadays omnipresent in daily A paramount example is the volume of research focused on
life activities, supporting many crucial tasks (e.g., banking, social detecting vulnerabilities in Android apps (see e.g., Arzt et al.,
networking, etc.) involving the manipulation and storage of sen- 2014; Li et al., 2015; Sadeghi et al., 2017; Lee et al., 2017; Single-
sitive and private data. The usage of mobile operating systems ton et al., 2019; You et al., 2016; Bello-Jiménez et al., 2019; Ren
has already exceeded the usage of desktops/laptops operating et al., 2015; Novak et al., 2015; Gadient et al., 2018). The Android
systems (StatCounter, 2020a,b; Google, 2019a). As a consequence, OS and devices have been also investigated in the context of
mobile apps and devices have become a very attractive target for previous studies aimed at categorizing their security weaknesses
malicious attacks aimed at stealing private and sensitive informa- and exploits (e.g., Huang et al., 2015; Thomas et al., 2015; Cao
tion from apps/devices and to exploit on-device capabilities such et al., 2015; Wang et al., 2016; Jimenez et al., 2016; Bagheri et al.,
as processing, data collection via sensors, and networking. Also, 2018; Meng et al., 2018; Mazuera-Rozo et al., 2019). Even datasets
according to the CVE details portal1 the number of vulnerabilities with malicious apps have been built (Allix et al., 2016; Zhou and
in the Android operating system has seen a steep growth in the Jiang, 2012).
last years, with a total of 2563 reports in 10 years (2009–2019). As Still, to the best of our knowledge, there is no comprehensive
a natural reaction to such a rising of vulnerabilities in the mobile taxonomy of security weaknesses exhibited in Android apps. With
ecosystem, original equipment manufactures (OEMs), operating security weaknesses we refer to flaws or gaps in a software
system designers (e.g., Google), researchers, and companies have that could be exploited to violate its security policy, thus even-
tually causing a disruption of the confidentiality, integrity, or
✩ Editor: Shane McIntosh. availability of the system in question. As compared to desktop
∗ Corresponding author at: Università della Svizzera Italiana, Lugano, applications, Android apps may suffer of specific vulnerability
Switzerland. types since they (i) run on a mobile device, thus usually collecting
E-mail address: alejandro.mazuera.rozo@usi.ch (A. Mazuera-Rozo). a larger amount of information about the user (e.g., location,
1 https://www.cvedetails.com/product/19997/Google-Android.html. video/audio, as well as biometric information); (ii) are built on top
https://doi.org/10.1016/j.jss.2022.111233
0164-1212/© 2022 The Authors. Published by Elsevier Inc. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-
nc-nd/4.0/).
A. Mazuera-Rozo, C. Escobar-Velásquez, J. Espitia-Acero et al. The Journal of Systems & Software 187 (2022) 111233
of a specific framework and programming model, that, as we will RQ1 : What are the types of software security weaknesses faced
show, requires to carefully handle specific types of resources and by the developers of Java and Kotlin Android apps?
components (e.g., Activities, Intents, Broadcast Receivers, etc.);
(iii) despite the Android OS is built on top of the Linux kernel, To answer RQ1 , we combine two orthogonal analyses. We start
several modifications have been done to the kernel, and there is by manually analyzing a set of 681 commits fixing security weak-
a set of specific OS layers built on top of the kernel that makes nesses performed in 315 Java and Kotlin open source Android
Android apps programming different from web and desktop app apps with the goal of defining a taxonomy of software security
programming, even the programming model is different from the weaknesses faced by Android developers. We analyze both apps
iOS model. In this paper, we focus on Android apps written in written in Java and in Kotlin, by presenting the differences (if any)
Java and in Kotlin, the two main programming languages officially in the distribution of security issues across the two languages.
supported for the development of Android apps.2 Then, we run a survey with 43 Android developers. The survey
Despite previous individual efforts for analyzing, detecting and has a dual goal. First, we ‘‘validate’’ the taxonomy defined in the
fixing specific sets of security weaknesses, the research commu- first step, by asking developers which security weaknesses they
nity still lacks a body of knowledge characterizing the types of address more often. This allows to assess the comprehensiveness
weaknesses affecting Android apps. Also, some of the empirical of our taxonomy and to complement it with new categories
investigations performed in the past could become outdated due of security weaknesses if needed. Second, we collect additional
to the frenetic evolution of the Android ecosystem. Indeed, the data reporting how developers perceive security weaknesses in
programming models include now the possibility of creating na- Android apps.
tive, hybrid, cross-platform, and mobile web apps for the Android
platform. Previous studies on specific security vulnerabilities have 2.1. Manual analysis of commits
focused on analyzing Android Java apps, because of the avail-
ability of code bases and APKs in this language. Given the rising We present the procedure to collect the data needed for our
interest for Kotlin apps and its status of official Android language, study (i.e., commits fixing security weaknesses we manually val-
investigating security weaknesses in Kotlin becomes a required idated) and the process performed to derive our taxonomy.
avenue for research. While Dart3 /Flutter4 also represent interest-
ing targets for research, their diffusion is still limited, with ∼18k 2.1.1. Data collection
GitHub repositories as compared to the ∼75k Kotlin repositories As previously explained, Java has been historically the official
(May 2020). programming language for creating Android apps. However, in
In this paper, we present the first empirical study character- 2019, Google announced that Kotlin is its official and preferred
izing software security weaknesses in Android Java and Kotlin language for native Android apps.5 Thus, when selecting the
apps. To this end, we build a taxonomy of security weaknesses mobile apps to study, we made sure to have a mix of Java and
by (i) manually analyzing 681 commits in open source Android Kotlin apps by (i) merging different datasets available in the
Java/Kotlin apps (i.e., mining-based study), and (ii) surveying 43 literature, and (ii) mining a dataset we created for this study.
Android developers to collect their experience with security
Keep in mind that for all considered apps we must have access to
weaknesses, and in particular with the types they frequently
their repositories, since we later mine their commits. Having in
faced (i.e., survey-based study). The output of the mining-based
mind previously mentioned considerations, we adopted the three
study is a taxonomy on multiple levels featuring a total of 74
following datasets.
categories of security weaknesses.
Geiger et al. (2018) This dataset is composed of 8431 real-
As results of the developers’ survey, we identified 28 types
world open-source Android apps. It combines source and commit
of security weaknesses, of which 22 were already covered in
history information from GitHub with metadata from Google Play
our taxonomy, and six more were added. We use the defined
store. We processed the dataset to exclude apps that are no longer
taxonomy to discuss interesting directions for future research in
the area, and lessons learned for practitioners. available on GitHub, leading to 7862 apps currently usable from
Note that, while catalogues of security weaknesses in mobile this dataset (all available both on GitHub and on the Google Play
apps have been previously defined (CWE, 2020; The OWASP store).
Foundation, 2020), they are not based on the empirical obser- Coppola et al. (2019) The authors of this dataset mined all
vation of weaknesses affecting real mobile apps and, as a result, projects hosted on F-Droid,6 a repository for free and open source
they are less comprehensive than the taxonomy we derive in this Android apps.
work. This dataset is interesting because Coppola et al. reported
the presence of 19% of apps featuring Kotlin code among the
2. Study design 1232 mined apps. We excluded apps that are no longer available
on GitHub and, for consistency with the previous dataset, also
The goal of the study is to investigate software security weak- those not published in the Google Play store. This resulted in 472
nesses affecting Java and Kotlin Android apps. The context con- projects.
sists of (i) 681 commits performed by software developers of GitHub archive. Since in the two previous datasets there is
Android apps to fix software security weaknesses, and (ii) an- a prevalence of Java apps (also due to the fact that they were
swers to a survey conducted with 43 Android developers to built before the announcement by Google pushing Android apps
investigate the software security weaknesses they face and how towards Kotlin), we ran a query on GH Archive7 using Google
they deal with their identification and fixing. BigQuery, with the goal of identifying repositories having Kotlin
Our study addresses the following research question: as the primary language. The query is available in our online
appendix (Mazuera-Rozo et al., 2021). The aforementioned query
2 https://developer.android.com/kotlin/first. was run on March 1st, 2020, obtaining a list of 3967 repositories
3 Dart is a programming language developed by Google and designed to as a result. We sorted these projects by number of stars (in
support the implementation of applications, including mobile apps. https://dart.
dev/.
5 https://tcrn.ch/363AyBv.
4 Flutter is a software development kit created by Google that is built on
6 https://f-droid.org.
top of Dart and can be used to develop cross-platform applications. https:
//flutter.dev/. 7 https://www.gharchive.org.
2
A. Mazuera-Rozo, C. Escobar-Velásquez, J. Espitia-Acero et al. The Journal of Systems & Software 187 (2022) 111233
descending order) and selected the top 5% (i.e., 200 reposito- Table 1
ries) for manual analysis. In particular, we checked that the 200 Structure of the survey used in our study.
repositories were real-world Android apps available on the Play BACKGROUND QUESTIONS
Store. From this screening, we obtained a list of 22 Kotlin apps to Q1 : In which country do you live?
Q2 : What is your current job position?
consider in our dataset.
Q3 : How many years of programming experience do you have?
We aggregated these three datasets and removed duplicates,
Q4 : How many years of programming experience do you have concerning
obtaining a final list of 8157 open-source Android apps. The list is native Android apps? Please specify overall/Java/Kotlin/Dart.
available in our replication package (Mazuera-Rozo et al., 2021).
Q5 : How many years of programming experience do you have concerning
We cloned all 8157 repositories and ran on them a customized the testing of native Android apps?
version of git-vuln-finder (cve-search, 2020), a Python appli-
EXPERIENCE WITH SOFTWARE security weaknesses AND THEIR PERCEPTION
cation aimed at finding commits likely to fix a security weakness.
Q6 : Which factors do you consider to estimate the likelihood of a security
The search is based on a set of regular expressions applied on weakness to be exploited?
the commit message (Zhou and Sharma, 2017). While most of the
Q7 : Which factors do you consider to estimate the negative impact of a
used regular expressions are applicable in the context of mobile security weakness in case it is exploited?
apps, the work by Zhou and Sharma (2017) focuses on web appli- Q8 : Which are the most common security weaknesses that you found?
cations. Thus, we modified their tool by complementing the list Q9 : Which security weaknesses do you consider as the most dangerous?
of regular expressions with others we defined by looking at the Q10 : How do you detect security weaknesses? Do you use any specific tool
list of security weaknesses relevant to mobile apps and present for this task?
in the Common Weakness Enumeration (CWE8 ) version 4.0, a
community-developed list of common software and hardware
security weaknesses. Also, we considered a commit as relevant for Five authors took part to the labeling process that was sup-
our study if it explicitly mentions the name or id of any weakness ported by a web application. Each author independently labeled
present in the CWE dictionary. The adopted regular expressions the commits randomly assigned to her/him by the web appli-
are publicly available (Mazuera-Rozo et al., 2021). cation, defining a ‘‘label’’ describing the security weakness fixed
After running git-vuln-finder on the 8157 projects, we in each commit. To define such a label the authors manually
identified a set of candidate commits from which we removed du- inspected the diff of the commit and the message accompanying
plicates due to: (i) commits mined from both the master branch it. As a guideline for the label definition, the authors used the
and other branches merged in the master; (ii) forked repositories. CWE 4.0 list. The authors reused as much as possible the list
Also, we decided to keep in our dataset only commits in which the of security weaknesses in CWE, defining new labels only when
developers are modifying a single Java or Kotlin file (as identified needed. Moreover, the web application also showed the list of
by their extension). The rationale behind this decision is two-fold. labels created so far, allowing the author to select one of the
First, if a developer mentions in the commit note that she is fixing already defined labels. Since the number of possible labels (i.e.,
a security weakness and only one file is modified in the commit, types of security weaknesses) is extremely high, such a choice
we can be sure that the fix happened in that file. Second, since helps using consistent naming while not introducing a substantial
we aim at classifying the type of security weakness involved in bias. In case the commit was not related to a security weakness
each commit, understanding a fix spanning across many files can fix, a false positive label was assigned, discarding the commit
be quite challenging, and lead to misclassifications. from the study. Each commit was assigned to two authors and,
This cleaning process resulted in a final list of 4781 candidate in cases for which there was no agreement between the two
commits. authors, the commit was assigned to a third author. Conflicts
arisen for 344 commits (∼50% of 681). While such a number
2.1.2. Open coding may look high, note that we considered as a conflict also cases
Given the 4781 commits collected in the previous step, we in which the authors used two slightly different labels to express
manually analyzed 681 of them with the goal of describing, the same concept (e.g., CWE-703: improper check or handling of
using a label, the type of security weakness fixed in the commit. exceptional conditions vs. CWE-754: improper check for unusual
The number of inspected commits ensures a significance interval or exceptional conditions). A total of 1706 labels was required
(margin of error) of ±5% with a confidence level of 99%. We did in order to reach our target of assessing and characterizing 200
not use random sampling for the selection of the commits to valid commits per programming language: two labels per each of
manually inspect. Indeed, in the set of 4781 candidate commits, the 400 valid commits (800), two labels for each of the 281 false
there are 4391 commits impacting a Java file, and 390 modifying positives we discarded (562), and one more label for each of the
a Kotlin file. Since we aim at comparing the types of security 344 solved conflicts (344).
weaknesses affecting these two main languages used to develop As outcome, we present a taxonomy of software security
native Android apps, we decided to target the analysis of the weaknesses identified in the manual analysis and we complement
same number of Java- and Kotlin-related commits. We targeted our discussion with qualitative examples.
the inclusion of 200 valid commits per language (i.e., excluding
commits labeled as false positive since they are not related to 2.2. Survey with developers
security weaknesses’ fix).
The choice of 200 was tailored on the amount of commits
We designed a survey aimed at investigating the types of se-
available for Kotlin, since we expected to find a substantial num-
curity weaknesses that are found by developers in their apps and
ber of false positives as result of the regular expressions used
their perception about specific aspects of security weaknesses.
to select the commits. By applying the process described in the
The survey was designed to last at most 15 min, to maximize
following, we analyzed 360 Java-related commits (200 valid +
the survey completion rate. The survey structure is reported in
160 false positives) and 321 Kotlin-related commits (200 valid +
Table 1. Note that we rephrased some of the questions to shorten
121 false positives).
them. First, we collected background information about partici-
pants (Q1 − Q5 ). If a participant answered ‘‘zero’’ to the part of Q4
8 https://cwe.mitre.org. related to the overall programming experience of native Android
3
A. Mazuera-Rozo, C. Escobar-Velásquez, J. Espitia-Acero et al. The Journal of Systems & Software 187 (2022) 111233
Fig. 2. Types of security weaknesses found in Java and Kotlin android apps.
5
A. Mazuera-Rozo, C. Escobar-Velásquez, J. Espitia-Acero et al. The Journal of Systems & Software 187 (2022) 111233
Table 2
Definition of categories created by authors not existing in CWE dictionary.
Categories Common consequences
Missing code obfuscation Non-obfuscated code is susceptible to reverse
engineering allowing an attacker to retrieve
sensitive information from a system.
Double serialization Data mishandling can lead to a degradation of
its integrity quality.
Exposure of sensitive Sensitive information could be exposed within
information through user the GUI to an actor that is not explicitly
interface authorized to have access to that information.
File URI exposed A file can be made unsafely accessible from Fig. 3. Usage of thread-safe collection.
other apps providing unintended actors with
inappropriate access to the resource.
Component hijacking A vulnerable component within an app can be
seized by an actor to gain privileges in order
to conduct operations originally prohibited.
6
A. Mazuera-Rozo, C. Escobar-Velásquez, J. Espitia-Acero et al. The Journal of Systems & Software 187 (2022) 111233
12 https://cwe.mitre.org/data/definitions/561.html. 13 https://github.com/CypherpunkArmory/UserLAnd/commit/f92221f.
7
A. Mazuera-Rozo, C. Escobar-Velásquez, J. Espitia-Acero et al. The Journal of Systems & Software 187 (2022) 111233
Table 3
Security weaknesses mentioned by developers: Available tools.
Security weaknesses Tools
CWE-20: Improper input validation DifFuzz (Nilizadeh et al., 2019), DroidFuzzer (Ye et al., 2013), EvoTaint (Cai and Jenkins, 2018), Flowdroid
(Arzt et al., 2014), Huang et al. (2019), IVDroid (Fang et al., 2015), Monkey (Google, 2019c)
CWE-89: SQL Injection OPIA (Bello-Jiménez et al., 2019), Kul et al. (2018)
CWE-200: Exposure of sensitive information to AppFence (Hornyack et al., 2011), AppIntent (Yang et al., 2013), AutoPatchDroid (Xie et al., 2017), Blackdroid
an unauthorized actor (Zhang et al., 2013), CoChecker (Cui et al., 2014), ComDroid (Chin et al., 2011), ContentScope (Zhou and Jiang,
2013), Covert (Bagheri et al., 2015), CredMiner (Zhou et al., 2015), Flowdroid (Arzt et al., 2014), IccTA (Li
et al., 2015), Kul et al. (2018), Matsumoto and Sakurai (2013), MITHYS (Conti et al., 2013), M-Perm (Chester
et al., 2017), OAUTHLINT (Rahat et al., 2019), Onwuzurike and De Cristofaro (2015)
CWE-269: Improper privilege management AppProfiler (Rosen et al., 2013), AppGuard (Backes et al., 2013), AutoPatchDroid (Xie et al., 2017), AWiDe
(Demissie et al., 2016), Bartsch et al. (Bartsch et al., 2013), CoChecker (Cui et al., 2014), Covert (Bagheri et al.,
2015), DroidChecker (Chan et al., 2012), Droidtector (Wu and Liu, 2019), Lintent (Bugliesi et al., 2013),
M-Perm (Chester et al., 2017), PaddyFrog (Wu et al., 2015)
CWE-284: Improper access control ContentScope (Zhou and Jiang, 2013)
CWE-311: Missing encryption of sensitive data DroidSearch (Rasthofer et al., 2015), OPIA (Bello-Jiménez et al., 2019)
CWE-325: Missing required cryptographic step CrypLint (Egele et al., 2013)
CWE-312: Cleartext storage of sensitive Blackdroid (Zhang et al., 2013), CredMiner (Zhou et al., 2015), Flowdroid (Arzt et al., 2014)
information
CWE-922: Insecure Storage of Sensitive
Information
CWE-359: Exposure of private personal Flowdroid (Arzt et al., 2014), Kul et al. (2018), M-Perm (Chester et al., 2017), CredMiner (Zhou et al., 2015)
information to an Unauthorized Actor
CWE-798: Use of Hard-coded Credentials
Component hijacking ActivityHijacker (Wang et al., 2016), AppSealer (Zhang and Yin, 2014), CHEX (Lu et al., 2012), ComDroid (Chin
et al., 2011), Ren et al. (2015), You et al. (2016)
Fig. 7. Validation taxonomy of types of security weaknesses found in java and Kotlin android apps.
10
A. Mazuera-Rozo, C. Escobar-Velásquez, J. Espitia-Acero et al. The Journal of Systems & Software 187 (2022) 111233
Table 4
Empirical studies on security weaknesses in Android apps.
Ref. Year Brief summary Size Types Categories
Felt et al. (2011) 2011 Detection of overprivileges in Android apps #a: 940 10 1
Enck et al. (2011) 2011 Identification of vulnerabilities’ root causes #a: 1100 8 1
Egele et al. (2013) 2013 Cryptographic misuse in Android apps #a: 11k+ 6 1
Zuo et al. (2015) 2015 Detection of SSL error-handling vulnerabilities #a: 13,820 1 1
Bagheri et al. (2015) 2015 Analysis of inter-app security vulnerabilities #a: 500 2 1
Ahmad et al. (2016) 2016 Developers challenges for inter-app communication #a: 52k 3 1
Weir et al. (2020) 2020 Survey on developer practices for app security #a: 454 3 1
Gao et al. (2021) 2021 Temporal evolution of vulnerabilities in Android apps #a: 465,037 10 4
This paper Taxonomy of security weaknesses #a:8157 #c:4781 80 5
Weir et al. (2020) conducted a survey on the effect of re- Vega-Guzmán: Investigation, Data curation. Catia Trubiani:
quirements and developer practices on apps’ security. For app Methodology, Conceptualization, Investigation, Data curation,
development, security is perceived relevant by the participants, Writing – original draft, Writing – review & editing. Mario
even if assurance techniques are poorly used. The survey refers Linares-Vásquez: Methodology, Conceptualization, Investiga-
to a set of 454 apps, and 335 developers were using tools suitable tion, Data curation, Writing – original draft, Writing –
to check the following 3 types of weaknesses: SSL security, cryp- review & editing, Supervision, Funding acquisition. Gabriele
tographic API misuse, and privacy leaks. As result, a portion of Bavota: Methodology, Conceptualization, Investigation, Data
participants have been classified as security specialists and they curation, Writing – original draft, Writing – review & editing,
advocated the usage of cryptography to enforce security. Supervision, Funding acquisition.
Gao et al. (2021) investigated the temporal evolution of vul-
nerabilities in Android apps. Vulnerable code is detected in terms Declaration of competing interest
of which locations (e.g., library code) are more common than
others, the types of code change (e.g., the addition of new files) The authors declare that they have no known competing finan-
that may entail security-related issues, and also if there is a cial interests or personal relationships that could have appeared
correlation with malwares. The list of considered vulnerabilities to influence the work reported in this paper.
is constituted of 4 categories (i.e., security features, permissions,
injection flaws and data/communication handling) and 10 types, Data availability
each associated to a detection tool providing evidence of the
corresponding vulnerability. The data used in our study are publicly available at Mazuera-
To the best of our knowledge, our work represents the first Rozo et al. (2021).
and most comprehensive taxonomy of security weaknesses in
Android apps, including both Java and Kotlin app-related code. Acknowledgments
Besides, our taxonomy is the result of a two-phase study, in-
volving the inspection of software-related artifacts (i.e., security Mazuera-Rozo and Bavota gratefully acknowledge the finan-
weakness-fixing commits) and a survey with software develop- cial support of the Swiss National Science Foundation for the
ers. The derived taxonomy is more comprehensive and extensive, CCQR project, Switzerland (SNF Project No. 175513). Escobar-
covering 18 of the 20 issues analyzed in previous papers by Velásquez and Linares-Vásquez were partially funded by a Google
Enck et al. (2011), Egele et al. (2013), Zuo et al. (2015), Bagheri Latin America Research Award 2018–2021, Colombia. Escobar-
et al. (2015), Jimenez et al. (2016), Weir et al. (2020), and Gao Velásquez was supported by a ESKAS scholarship, Switzerland,
et al. (2021). Finally, we focus on both Java and Kotlin code re- No. 2020.0820. Trubiani was partially supported by the MIUR
cently suggested in Coppola et al. (2019), while only Java-related PRIN project 2017TWRCNB SEDUCE, Italy.
security weaknesses are analyzed in previously mentioned works.
References
6. Conclusions
Ahmad, W., Kästner, C., Sunshine, J., Aldrich, J., 2016. Inter-app communication
We presented the first available taxonomy of security weak- in android: Developer challenges. In: Int. Working Conference on Mining
nesses in Android apps that covers both Java- and Kotlin-related Software Repositories (MSR).
code. Our taxonomy features 80 types of software security weak- Allix, K., Bissyandé, T.F., Klein, J., Traon, Y.L., 2016. AndroZoo: Collecting millions
of android apps for the research community. In: Working Conference on
nesses, and it is the result of both a mining-based study in which Mining Software Repositories (MSR). pp. 468–471.
we manually inspected 681 commits fixing security weaknesses Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y.,
(that contributed 74 types of security weaknesses), and a survey Octeau, D., McDaniel, P., 2014. Flowdroid: Precise context, flow, field, object-
performed with 43 developers (contributing six additional types). sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan
Our results discussion resulted in the identification of several Not. 49 (6), 259–269.
Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P., 2013.
lessons learned for both practitioners (see the icon in Section 3) AppGuard – enforcing user requirements on android apps. In: Int. Conference
and researchers ( icon). on Tools and Algorithms for the Construction and Analysis of Systems
Our future work will be mostly driven by the findings dis- (TACAS).
cussed in Section 3. In particular, we plan to focus on the def- Bagheri, H., Kang, E., Malek, S., Jackson, D., 2018. A formal approach for detection
inition of techniques able to detect (and possibly automatically of security flaws in the android permission system. Form. Asp. Comput. 30
(5), 525–544.
fix) security weaknesses that are (i) not currently supported by Bagheri, H., Sadeghi, A., Garcia, J., Malek, S., 2015. Covert: Compositional analysis
existing detection tools, (ii) frequently spread in real Android of android inter-app permission leakage. IEEE Trans. Softw. Eng. 41 (9),
apps, and (iii) relevant for software developers. Besides, we are 866–886.
interested to investigate the portability of methodologies and Bartsch, S., Berger, B., Bunke, M., Sohr, K., 2013. The transitivity-of-trust prob-
tools detecting Java-based weaknesses in Kotlin-based code, to lem in android application interaction. In: Int. Conference on Availability,
Reliability and Security (ARES).
understand which changes are needed to enable interoperability Bello-Jiménez, L., Mazuera-Rozo, A., Linares-Vásquez, M., Bavota, G., 2019. OPIA:
between the two languages. Our study provides the foundations A tool for on-device testing of vulnerabilities in android applications. In: Int.
for such a research agenda. Conference on Software Maintenance and Evolution (ICSME). pp. 418–421.
Bugliesi, M., Calzavara, S., Spanò, A., 2013. Lintent: Towards security type-
CRediT authorship contribution statement checking of android applications. In: Int. Conference on Formal Techniques
for Distributed Systems (FORTE). pp. 289–304.
Cai, H., Jenkins, J., 2018. Leveraging historical versions of android apps for
Alejandro Mazuera-Rozo: Methodology, Conceptualization, efficient and precise taint analysis. In: Int. Conference on Mining Software
Software, Validation, Formal analysis, Investigation, Data Repositories (MSR). Association for Computing Machinery, pp. 265–269.
curation, Writing – original draft, Writing – review & Canfora, G., Di Penta, M., Oliveto, R., Panichella, S., 2012. Who is going to mentor
newcomers in open source projects? In: Int. Symposium on the Foundations
editing, Visualization, Project administration. Camilo Escobar-
of Software Engineering (FSE). p. 44.
Velásquez: Methodology, Conceptualization, Investigation, Data Cao, C., Gao, N., Liu, P., Xiang, J., 2015. Towards analyzing the input validation
curation, Writing – original draft, Writing – review & vulnerabilities associated with android system services. In: Annual Computer
editing. Juan Espitia-Acero: Investigation, Data curation. David Security Applications Conference.
12
A. Mazuera-Rozo, C. Escobar-Velásquez, J. Espitia-Acero et al. The Journal of Systems & Software 187 (2022) 111233
Chan, P.P., Hui, L.C., Yiu, S.M., 2012. DroidChecker: Analyzing android appli- Li, L., Bartel, A., Bissyandé, T.F., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S.,
cations for capability leak. In: Int. Conference on Security and Privacy in Bodden, E., Octeau, D., McDaniel, P., 2015. Iccta: Detecting inter-component
Wireless and Mobile Networks (WiSec). pp. 125–136. privacy leaks in android apps. In: Int. Conference on Software Engineering
Chester, P., Jones, C., Wiem Mkaouer, M., Krutz, D.E., 2017. M-perm: A (ICSE). pp. 280–291.
lightweight detector for android permission gaps. In: Int. Conference on Li, Y., Yang, Z., Guo, Y., Chen, X., 2017. DroidBot: a lightweight UI-guided test
Mobile Software Engineering and Systems (MOBILESoft). pp. 217–218. input generator for android. In: Int. Conference on Software Engineering
Chin, E., Felt, A.P., Greenwood, K., Wagner, D., 2011. Analyzing inter- Companion (ICSE-C). pp. 23–26.
application communication in android. In: Int. Conference on Mobile Liñán, S., Bello-Jiménez, L., Arévalo, M., Linares-Vásquez, M., 2018. Automated
Systems, Applications, and Services (MobiSys). extraction of augmented models for android apps. In: Int. Conference on
Conti, M., Dragoni, N., Gottardo, S., 2013. MITHYS: Mind the hand you shake - Software Maintenance and Evolution (ICSME). pp. 549–553.
protecting mobile devices from ssl usage vulnerabilities. In: Int. Workshop Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G., 2012. CHEX: Statically vetting android apps
on Security and Trust Management (STM). pp. 65–81. for component hijacking vulnerabilities. In: Int. Conference on Computer and
Coppola, R., Ardito, L., Torchiano, M., 2019. Characterizing the transition to Communications Security (CCS). pp. 229–240.
kotlin of android apps: A study on F-droid, play store, and GitHub. In: Int. Matsumoto, S., Sakurai, K., 2013. A proposal for the privacy leakage verification
Workshop on App Market Analytics (WAMA). pp. 8–14. tool for android application developers. In: Int. Conference on Ubiquitous
Cui, X., Yu, D., Chan, P., Hui, L.C.K., Yiu, S.M., Qing, S., 2014. Cochecker: Detecting Information Management and Communication (IMCOM). pp. 1–8.
capability and sensitive data leaks from component chains in android. In: Mazuera-Rozo, A., Bautista-Mora, J., Linares-Vásquez, M., Rueda, S., Bavota, G.,
Int. Conference on Information Systems Security and Privacy (ICSSP). pp. 2019. The android OS stack and its vulnerabilities: an empirical study. Empir.
446–453. Softw. Eng..
cve-search, cve-search, 2020. git-vuln-finder, https://github.com/cve-search/git- Mazuera-Rozo, A., Escobar-Velásquez, C., Espitia-Acero, J., Vega-Guzmán, D.,
vuln-finder/. Trubiani, C., Linares-Vásquez, M., Bavota, G., 2021. Replication Package, https:
CWE, 2020. Cwe view: Weaknesses in mobile applications, https://cwe.mitre.org/ //github.com/amazuerar/sec-weak-android-apps/.
data/definitions/919.html. Meng, H., Thing, V.L., Cheng, Y., Dai, Z., Zhang, L., 2018. A survey of android
Dagenais, B., Ossher, H., Bellamy, R.K.E., Robillard, M.P., de Vries, J.P., 2010. exploits in the wild. Comput. Secur. 76.
Moving into a new software project landscape. In: Int. Conference on Nilizadeh, S., Noller, Y., Păsăreanu, C.S., 2019. DifFuzz: Differential fuzzing for
Software Engineering (ICSE). pp. 275–284. side-channel analysis. In: Int. Conference on Software Engineering (ICSE).
Demissie, B.F., Ghio, D., Ceccato, M., Avancini, A., 2016. Identifying android inter pp. 176–187.
app communication vulnerabilities using static and dynamic analysis. In: Int. Novak, E., Tang, Y., Hao, Z., Li, Q., Zhang, Y., 2015. Physical media covert channels
Conference on Mobile Software Engineering and Systems (MOBILESoft). pp. on smart mobile devices. In: International Joint Conference on Pervasive and
255–266. Ubiquitous Computing (UbiComp).
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C., 2013. An empirical study Oliveira, J., Borges, D., Silva, T., Cacho, N., Castor, F., 2018. Do android developers
of cryptographic misuse in android applications. In: Int. Conference on neglect error handling? a maintenance-centric study on the relationship
Computer & Communications Security (ICCCS). pp. 73–84. between android abstractions and uncaught exceptions. J. Syst. Softw. 136,
Enck, W., Octeau, D., McDaniel, P.D., Chaudhuri, S., 2011. A study of android 1–18.
application security. In: USENIX Security Symposium, Vol. 2. p. 2.
Onwuzurike, L., De Cristofaro, E., 2015. Danger is my middle name: Experiment-
Facebook, 2020. A tool to detect bugs in Java and C/C++/Objective-C code before
ing with SSL vulnerabilities in android apps. In: Int. Conference on Security
it ships, https://fbinfer.com/.
& Privacy in Wireless and Mobile Networks (WiSec). pp. 1–6.
Fang, Z., Liu, Q., Zhang, Y., Wang, K., Wang, Z., 2015. Ivdroid: Static detection for
Ponzanelli, L., Bavota, G., Penta, M.D., Oliveto, R., Lanza, M., 2016. Prompter -
input validation vulnerability in android inter-component communication.
turning the IDE into a self-confident programming assistant. Empir. Softw.
In: Int. Conference on Information Security Practice and Experience (ISPEC).
Eng. 21 (5), 2190–2231.
pp. 378–392.
Rahat, T.A., Feng, Y., Tian, Y., 2019. OAUTHLINT: An empirical study on oauth
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D., 2011. Android permissions
bugs in android applications. In: Int. Conference on Automated Software
demystified. In: Int. Conference on Computer and Communications Security
Engineering (ASE). pp. 293–304.
(CCS). pp. 627–638.
Rasthofer, S., Arzt, S., Kolhagen, M., Pfretzschner, B., Huber, S., Bodden, E.,
FuzzBench, 2021. FuzzBench, https://github.com/google/fuzzbench.
Richter, P., 2015. DroidSearch: A tool for scaling android app triage to real-
Gadient, P., Ghafari, M., Frischknecht, P., Nierstrasz, O., 2018. Security code smells
world app stores. In: Int. Science and Information Conference (SAI). pp.
in android ICC. Empir. Softw. Eng. 24 (5), 3046–3076.
247–256.
Gao, J., Li, L., Kong, P., Bissyandé, T.F., Klein, J., 2021. Understanding the evolution
Ren, C., Zhang, Y., Xue, H., Wei, T., Liu, P., 2015. Towards discovering and
of android app vulnerabilities. IEEE Trans. Reliab. 70 (1), 212–230.
understanding task hijacking in android. In: USENIX Conference on Security
Geiger, F.-X., Malavolta, I., Pascarella, L., Palomba, F., Di Nucci, D., Bacchelli, A.,
Symposium. pp. 945–959.
2018. A graph-based dataset of commit history of real-world android apps.
Romano, S., Vendome, C., Scanniello, G., Poshyvanyk, D., 2020. A multi-study
In: Int. Conference on Mining Software Repositories (MSR). pp. 30–33.
Google, 2019. How Google Play works, https://www.android.com/play/how- investigation into dead code. IEEE Trans. Softw. Eng. 46 (1), 71–99.
google-play-works/. Rosen, S., Qian, Z., Mao, Z.M., 2013. AppProfiler: A flexible method of expos-
Google, 2019. Android Lint, https://developer.android.com/studio/write/lint. ing privacy-related behavior in android applications to end users. In: Int.
Google, 2019. Monkey, https://developer.android.com/studio/test/monkey. Conference on Data and Application Security and Privacy (CODASPY). pp.
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D., 2011. These aren’t the 221–232.
droids you’re looking for: Retrofitting android to protect data from imperious Sadeghi, A., Bagheri, H., Garcia, J., Malek, S., 2017. A taxonomy and qualitative
applications. In: Int. Conference on Computer and Communications Security comparison of program analysis techniques for security assessment of
(CCS). pp. 639–652. android software. IEEE Trans. Softw. Eng. (TSE).
Huang, X., Zhou, A., Jia, P., Liu, L., Liu, L., 2019. Fuzzing the android applications Singleton, L., Zhao, R., Song, M., Siy, H., 2019. FireBugs: finding and repairing bugs
with HTTP/HTTPS network data. IEEE Access 7, 59951–59962. with security patterns. In: Int. Conference on Mobile Software Engineering
Huang, H., Zhu, S., Chen, K., Liu, P., 2015. From system services freezing to and Systems (MOBILESoft).
system server shutdown in android: All you need is a loop in an app. SonarQube, 2020. Sonarqube, https://www.sonarqube.org/.
In: Int. Conference on Computer and Communications Security (CCS). pp. StatCounter, 2020. Operating System Market Share Worldwide, https://gs.
1236–1247. statcounter.com/os-market-share.
IBM, 2020. IBM Security AppScan Standard: Scan and analyze results, https: StatCounter, 2020. Desktop vs Mobile vs Tablet vs Console Market Share
//www.ibm.com/developerworks/library/se-scan/index.html. Worldwide, https://gs.statcounter.com/platform-market-share.
Jimenez, M., Papadakis, M., Bissyandé, T.F., Klein, J., 2016. Profiling android vul- Sufatrio, Tan, D.J.J., Chua, T.-W., Thing, V.L.L., 2015. Securing android: a survey,
nerabilities. In: Int. Conference on Software Quality, Reliability and Security taxonomy, and challenges. ACM Comput. Surv. 47 (4), 1–45.
(QRS). pp. 222–229. The OWASP Foundation, 2020. OWASP Mobile Top 10, https://owasp.org/www-
Kotlin, 2019. JavaScript Dead Code Elimination (DCE), https://kotlinlang.org/docs/ project-mobile-top-10/.
reference/javascript-dce.html. Thomas, D.R., Beresford, A.R., Rice, A., 2015. Security metrics for the android
Kul, G., Upadhyaya, S., Chandola, V., 2018. Detecting data leakage from databases ecosystem. In: Int. Workshop on Security and Privacy in Smartphones and
on android apps with concept drift. In: Int. Joint Conference on Trust, Mobile Devices (SPSM). pp. 87–98.
Security and Privacy in Computing and Communications and Conference on Wang, Z., Li, C., Guan, Y., Xue, Y., Dong, Y., 2016. ActivityHijacker: Hijacking
Big Data Science and Engineering (TrustCom/BigDataSE). pp. 905–913. the android activity component for sensitive data. In: Int. Conference on
Lee, Y.K., Yoodee, P., Shahbazian, A., Nam, D., Medvidovic, N., 2017. SEALANT: Computer Communication and Networks (ICCCN). pp. 1–9.
A detection and visualization tool for inter-app security vulnerabilities in Wang, K., Zhang, Y., Liu, P., 2016. Call me back! attacks on system server
androic. In: Int. Conference on Automated Software Engineering (ASE). pp. and system apps in android through synchronous callback. In: International
883–888. Conference on Computer and Communications Security (CCS). pp. 92–103.
13
A. Mazuera-Rozo, C. Escobar-Velásquez, J. Espitia-Acero et al. The Journal of Systems & Software 187 (2022) 111233
Weir, C., Hermann, B., Fahl, S., 2020. From needs to actions to secure apps? The Juan Espitia-Acero is a M.S student in the Faculty of
effect of requirements and developer practices on app security. In: USENIX Systems Engineering and Computing at the Universidad
Security Symposium. de los Andes, Colombia. He also received his B.S in
Wu, J., Cui, T., Ban, T., Guo, S., Cui, L., 2015. PaddyFrog: Systematically detecting Systems Engineering and Computing from Universidad
confused deputy vulnerability in android applications. Secur. Commun. Netw. de los Andes in 2020. He is involved in the tutoring of
8 (13), 2338–2349. some courses regarding the M. S. program of Software
Wu, S., Liu, J., 2019. Overprivileged permission detection for android applications. Engineering from Universidad de los Andes. His re-
In: Int. Conference on Communications (ICC). pp. 1–6. search interests include general software architecture,
Xie, J., Fu, X., Du, X., Luo, B., Guizani, M., 2017. AutoPatchDroid: A framework for automated testing, software quality, cybersecurity, and
patching inter-app vulnerabilities in android application. In: Int. Conference mobile development.
on Communications (ICC).
Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S., 2013. AppIntent: Ana-
lyzing sensitive data transmission in android for privacy leakage detection. David Vega-Guzmán received his B.S. in Systems and
In: Int. Conference on Computer and Communications Security (CCS). pp. Computing Engineering from Universidad de los Andes.
1043–1054. He has worked as Teaching Assistant for the Mobile
Ye, H., Cheng, S., Zhang, L., Jiang, F., 2013. DroidFuzzer: Fuzzing the android apps Development Course, and he is interested in M-Health
with intent-filter tag. In: Int. Conference on Advances in Mobile Computing solutions, cloud computing and cybersecurity.
& Multimedia (MoMM). pp. 68–74.
You, W., Liang, B., Shi, W., Zhu, S., Wang, P., Xie, S., Zhang, X., 2016. Reference
hijacking: Patching, protecting and analyzing on unmodified and non-rooted
android devices. In: International Conference on Software Engineering (ICSE).
pp. 959–970.
Zhang, Y., Wang, Y., Wang, D., Zhang, R., Zhou, Q., 2013. Blackdroid: A black-
box way for android plaintext and ciphertext privacy leaks detecting and
guarding. In: Int. Conference on Consumer Electronics, Communications and
Catia Trubiani is Assistant Professor at the Gran Sasso
Networks (CECNet). pp. 178–181.
Science Institute (GSSI), L’Aquila, Italy. Before joining
Zhang, M., Yin, H., 2014. AppSealer: Automatic generation of vulnerability-
the GSSI, she has been with various international
specific patches for preventing component hijacking attacks in android
research institutes like the Imperial College of Lon-
applications. In: Int. Network and Distributed System Security Symposium
don, UK, and the Karlsruhe Institute of Technology,
(NDSS).
Germany. Her main research interests include the
Zhou, Y., Jiang, X., 2012. Dissecting android malware: Characterization and
dependability analysis and refactoring of large-scale
evolution. In: Int. Symposium on Security and Privacy (S&P). pp. 95–109.
software systems under uncertainties. Among various
Zhou, Y., Jiang, X., 2013. Detecting passive content leaks and pollution in android
research projects she is involved, she is principal in-
applications. In: Annual Symposium on Network and Distributed System
vestigator of the GSSI unit for the MIUR-PRIN project
Security (NDSS). pp. 1–16.
SEDUCE (Young Line action) and for the MIUR-FISR
Zhou, Y., Sharma, A., 2017. Automated identification of security issues from
project MVM-Adapt. She recently received the Exceptional Reviewer Award for
commit messages and bug reports. In: Int. Joint Meeting on Foundations
ICSA, and the 10-year Most Influential Paper Award for ICPE, both in 2021. More
of Software Engineering (FSE).
information is available here: http://cs.gssi.it/catia.trubiani.
Zhou, Y., Wu, L., Wang, Z., Jiang, X., 2015. Harvesting developer credentials in
android apps. In: Int. Conference on Security & Privacy in Wireless and
Mobile Networks (WiSec). pp. 1–12.
Mario Linares-Vásquez is an Assistant Professor at
Zuo, C., Wu, J., Guo, S., 2015. Automatically detecting ssl error-handling vul-
Universidad de los Andes in Colombia. He received his
nerabilities in hybrid mobile web apps. In: Int. Symposium on Information,
Ph.D. degree in Computer Science from the College
Computer and Communications Security (ASIACCS). pp. 591–596.
of William and Mary in 2016. He received his B.S.
in Systems Engineering from Universidad Nacional de
Colombia in 2005, and his M.S. in Systems Engineering
Alejandro Mazuera-Rozo is a Ph.D. student in the and Computing from Universidad Nacional de Colom-
Faculty of Informatics at the Università della Svizzera bia in 2009. His research interests include software
italiana (USI), Switzerland; and a Ph.D. student in the evolution and maintenance, software architecture, min-
Faculty of Engineering at Universidad de los Andes, ing software repositories, application of data mining
Colombia. He received his M.S. in Information Security and machine learning techniques to support software
from Universidad de los Andes in 2018, and his B.S. in engineering tasks, and mobile development.
Telematics Engineering from Universidad Icesi in 2015.
His research interests include information security,
software quality and mobile development. Gabriele Bavota is an Assistant Professor at the Uni-
versitá della Svizzera italiana (USI), Switzerland. He
received the Ph.D. degree in computer science from the
Camilo Escobar-Velásquez is a Ph.D. student at Univer- University of Salerno, Italy, in 2013. His research inter-
sidad de los Andes in Colombia. He received his M.S. in ests include software maintenance, empirical software
Software Engineering from Universidad de los Andes in engineering, and mining software repository. He is the
2019. He received his B.S. in Systems and Computing author of over 100 papers appeared in international
Engineering - Minor: Mathematics from Universidad de journals, conferences and workshops. He received four
los Andes in 2017. He is part of The Software Design ACM SIGSOFT Distinguished Paper awards at ASE 2013,
Lab, where he has been part of research projects on ESEC-FSE 2015, ICSE 2015, and ASE 2017, the best
evolution, maintenance and analysis of closed-source paper award at SCAM 2012, and three distinguished
android apps, automation of software engineering tasks reviewer awards at WCRE 2012, SANER 2015, and MSR 2015. He served as
and software testing. He received a Google Latin Ameri- a Program Co-Chair for ICPC’16, SCAM’16, and SANER’17. He also serves and
can Research Award in 2018–2021. He received a Swiss has served as organizing and program committee member of international
Government Excellence Scholarships for Foreign Scholars in 2020. He served as a conferences in the field of software engineering, such as ICSE, FSE, ASE, ICSME,
student volunteer for ICSME’2018, ICSE’2019, ASE’2019, ICSE’2020, ICSME’2020, MSR, SANER, ICPC, SCAM, and others.
and ICST’2020. He served as organizing committee in LANGETI’2020, program
committee in ESEC/FSE’2021 and shadow program committee in MSR’2021. More
information is available here: https://caev03.github.io.
14