Abstract
Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerabilities in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
We are collaborating with Google to officially integrate these checks into Android Studio.
The UastScanner is the successor of the JavaScanner, and, in addition to Java, also supports Kotlin, a new programming language used in the Android platform.
We define a vulnerability capability as the possibility a security issue can compromise a user’s security and privacy.
http://cve.mitre.org — Common Vulnerabilities and Exposures, a public list of known cyber-security vulnerabilities.
References
Acar Y, Fahl S, Mazurek M (2016) You are not your developer, either: a research agenda for usable security and privacy research beyond end users. In: IEEE SecDev 2016
Ahmad W, Kästner C, Sunshine J, Aldrich J (2016) Inter-app communication in Android developer challenges. In: 2016 IEEE/ACM 13th working conference on mining software repositories (MSR). IEEE, pp 177–188
Balebako R, Cranor L (2014) Improving app privacy: nudging app developers to protect user privacy. IEEE Secur Priv 12(4):55–58
Bosu A, Liu F, Yao DD, Wang G (2017) Collusive data leak and more: large-scale threat analysis of inter-app communications. In: Proceedings of the 2017 ACM on Asia conference on computer and communications security. ACM, pp 71–85
Chin E, Felt AP, Greenwood K, Wagner D (2011) Analyzing inter-application communication in Android. In: Proceedings of the 9th international conference on mobile systems, applications, and services, MobiSys ’11. ACM, New York, pp 239–252
Felt AP, Wang HJ, Moshchuk A, Hanna S, Chin E (2011) Permission re-delegation: attacks and defenses. In: USENIX security symposium, vol 30, p 88
Garcia J, Hammad M, Ghorbani N, Malek S (2017) Automatic generation of inter-component communication exploits for Android applications. In: Proceedings of the 2017 11th joint meeting on foundations of software engineering. ACM, pp 661–671
Ghafari M, Gadient P, Nierstrasz O (2017) Security smells in Android. In: 2017 IEEE 17Th international working conference on source code analysis and manipulation (SCAM), pp 121–130
Jones BH, Chin AG (2015) On the efficacy of smartphone security: a critical analysis of modifications in business students’ practices over time. Int J Inf Manag 35 (5):561–571
Khadiranaikar B, Zavarsky P, Malik Y (2017) Improving Android application security for intent based attacks. In: 2017 8th IEEE annual information technology, electronics and mobile communication conference (IEMCON). IEEE, pp 62–67
Li L, Bartel A, Bissyandé TF, Klein J, Traon YL, Arzt S, Rasthofer S, Bodden E, Octeau D, McDaniel PM (2015) Iccta: Detecting inter-component privacy leaks in Android apps. In: Proceedings of the 37th international conference on software engineering - volume 1, ICSE ’15. IEEE Press, Piscataway, pp 280–291
Li L, Bissyandé TF, Papadakis M, Rasthofer S, Bartel A, Octeau D, Klein J, Traon Le (2017) Static analysis of Android apps: a systematic literature review. Inf Softw Technol 88:67–95
Linares-Vásquez M, Bavota G, Escobar-Velásquez C (2017) An empirical study on Android-related vulnerabilities. In: Proceedings of the 14th international conference on mining software repositories, MSR ’17. IEEE Press, Piscataway, pp 2–13
Mitra J, Ranganath V-P (2017) Ghera: a repository of Android app vulnerability benchmarks. In: Proceedings of the 13th international conference on predictive models and data analytics in software engineering. ACM, pp 43–52
Octeau D, McDaniel P, Jha S, Bartel A, Bodden E, Klein J, Traon YL (2013) Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis. In: Presented as part of the 22nd USENIX security symposium (USENIX security 13). USENIX, pp 543–558
Reaves B, Bowers J, Gorski III SA, Anise O, Bobhate R, Cho R, Das H, Hussain S, Karachiwala H, Scaife N, Wright B, Butler K, Enck W, Patrick T (2016) *Droid: assessment and evaluation of Android application analysis tools. ACM Comput Surv 49(55):1–55, 30
Ren C, Zhang Y, Xue H, Wei T, Liu P (2015) Towards discovering and understanding task hijacking in Android. In: USENIX security symposium, pp 945–959
Sadeghi A, Bagheri H, Garcia J, Malek S (2016) A taxonomy and qualitative comparison of program analysis techniques for security assessment of Android software. IEEE Trans Softw Eng PP(99):1–1
Shekhar S, Dietz M, Wallach DS (2012) Adsplit: Separating smartphone advertising from applications. In: USENIX security symposium
Tymchuk Y, Ghafari M, Nierstrasz O (2018) JIT Feedback — what experienced developers like about static analysis. In: Proceedings of the 26th IEEE international conference on program comprehension (ICPC’18)
Wang R, Xing L, Wang X, Chen S (2013) Unauthorized origin crossing on mobile platforms threats and mitigation. In: ACM conference on computer and communications security
Weir C, Rashid A, Noble J (2016) Reaching the masses: a new subdiscipline of app programmer education. In: Proceedings of the 2016 24th ACM SIGSOFT international symposium on foundations of software engineering, FSE 2016. ACM, pp 936–939
Witschey J, Zielinska O, Welk A, Murphy-Hill E, Mayhorn C, Zimmermann T (2015) Quantifying developers’ adoption of security tools. In: Proceedings of the 2015 10th joint meeting on foundations of software engineering, ESEC/FSE 2015. ACM, pp 260–271
Lei W, Grace M, Zhou Y, Chiachih W, Jiang X (2013) The impact of vendor customizations on Android security. In: Proceedings of the 2013 ACM SIGSAC conference on computer & communications security, CCS ’13. ACM, New York, pp 623–634
Xie J, Lipford HR, Chu B (2011) Why do programmers make security errors?. In: 2011 IEEE symposium on visual languages and human-centric computing (VL/HCC), pp 161–164
Xie J, Xiao F, Xiaojiang D, Luo B, Guizani M (2017) Autopatchdroid: a framework for patching inter-app vulnerabilities in Android application. In: 2017 IEEE international conference on communications (ICC). IEEE, pp 1–6
Meng X, Song C, Ji Y, Shih M-W, Lu K, Zheng C, Duan R, Jang Y, Lee B, Qian C, et al (2016) Toward engineering a secure Android ecosystem: a survey of existing techniques. ACM Comput Surv (CSUR) 49(2):38
Acknowledgements
We gratefully acknowledge the financial support of the Swiss National Science Foundation for the project “Agile Software Analysis” (SNSF project No. 200020-162352, Jan 1, 2016 - Dec. 30, 2018). We also thank Astrid Ytrehorn for her contribution to the empirical study.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by: Coen de Roover, David Lo and Jianjun Zhao
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Gadient, P., Ghafari, M., Frischknecht, P. et al. Security code smells in Android ICC. Empir Software Eng 24, 3046–3076 (2019). https://doi.org/10.1007/s10664-018-9673-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10664-018-9673-y