SPECK: From Google Textual Guidelines to Automatic Detection of Android Apps Vulnerabilities


The identification of security vulnerabilities and the prompt release of the associated security patches is a continuous race. Aware of this challenge, Google encourages also security researchers towards the identification of vulnerabilities through the Android Security Rewards Program and it monthly announces the release of security patches through the Android Security Bulletins. This workflow considers the vulnerabilities of the Android platform, while Google has given little attention to the vulnerabilities of the Android legitimate apps: the only support given to developers so far is a set of textual (not clearly formalized) guidelines on how to prevent apps security and privacy issues. However, even when legitimate, vulnerable Android apps can be a threat for mobile users and there is an urgent need for developers to have an automatic support. In this paper, we first analyze the Google guidelines and we ``translate'' them into 32 rules. We, then, propose SPECK, a rule-based static analysis system that automatically finds the violations to our rules. In particular, for each violated rule, SPECK shows the developer the specific line of code where the vulnerability has been detected, thus prompting him to fix the issue. We manually validated the statistical precision of our rules (20 rules out of 32 have a precision greater than 80\%) and used them to analyze the top 100 popular apps on the Google Play Store. We found that each app has at least one violation, while more than the 50\% of the apps violates at least \roberto{15 (17)} rules. Few rules are violated by almost all the apps (some of them even multiple times by the same app). The majority of violations (90.3\%) are located in external libraries. The app developers that are less prone to violate the rules are Caynax, ZDevs, Skype.

Project Details