DocumentCode
1760506
Title
VulHunter: Toward Discovering Vulnerabilities in Android Applications
Author
Chenxiong Qian ; Xiapu Luo ; Yu Le ; Guofei Gu
Author_Institution
Hong Kong Polytech. Univ., Hong Kong, China
Volume
35
Issue
1
fYear
2015
fDate
Jan.-Feb. 2015
Firstpage
44
Lastpage
53
Abstract
With the prosperity of the Android app economy, many apps have been published and sold in various markets. However, short development cycles and insufficient security development guidelines have led to many vulnerable apps. Although some systems have been developed for automatically discovering specific vulnerabilities in apps, their effectiveness and efficiency are usually restricted because of the exponential growth of paths to examine and simplified assumptions. In this article, the authors propose a new static-analysis framework for facilitating security analysts to detect vulnerable apps from three aspects. First, they propose an app property graph (APG), a new data structure containing detailed and precise information from apps. Second, by modeling app-related vulnerabilities as graph traversals, the authors conduct graph traversals over APGs to identify vulnerable apps for easing the identification process. Third, they reduce the workload of manual verification by removing infeasible paths and generating attack inputs whenever possible. They have implemented the framework in a system named VulHunter with 9,145 lines of Java code and modeled five types of vulnerabilities. Checking 557 popular apps that are randomly collected from Google Play and have at least 1 million installations, the authors found that 375 apps (67.3 percent) have at least one vulnerability.
Keywords
Android (operating system); Java; data structures; program diagnostics; APG; Android application economy; Google Play; Java code; VulHunter; app property graph; app-related vulnerability modeling; attack input generation; automatic vulnerability discovery; data structure; graph traversals; infeasible path removal; manual verification workload reduction; static-analysis framework; vulnerable app detection; Androids; Data structures; Humanoid robots; Marketing and sales; Mobile communication; Network security; Syntactics; Android applications; app property graph; static analysis; vulnerabilities detection;
fLanguage
English
Journal_Title
Micro, IEEE
Publisher
ieee
ISSN
0272-1732
Type
jour
DOI
10.1109/MM.2015.25
Filename
7057600
Link To Document