Abstract
The mobile applications have overtaken web applications in the rapid growing of the mobile app market. As mobile application development environment is open source, it attracts new inexperienced developers to gain hands-on experience with application development. However, the data security and vulnerable coding practice are two major issues. Among all mobile operating systems including iOS (by Apple), Android (by Google) and Blackberry (RIM), Android remains the dominant OS on a global scale. The majority of malicious mobile attacks take advantage of vulnerabilities in mobile applications, such as sensitive data leakage via the inadvertent or side channel, unsecured sensitive data storage, data transition and many others. Most of these vulnerabilities can be detected during mobile application analysis phase. In this chapter, we explored some existing vulnerability detection tools available for static and dynamic analysis and hands-on exploration of using them to detect vulnerabilities. We suggest that there is a need of new tools within the development environment for security analysis in the process of application development.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Arzt S et al (2013) FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In: Proceedings of the 35th ACM SIGPLAN conference on programming language design and implementation - PLDI ’14, Edinburgh, United Kingdom, 2013, pp 259–269. https://doi.org/10.1145/2594291.2594299
Arzt S, Dann A, Bodden E, Benz M, Amin A (2020) Sable/soot - FlowDroid. Secure software engineering group at Paderborn University and Fraunhofer IEM
CuckooDROiD (2004) Installation — CuckooDroid v1.0 Book. https://cuckoo-droid.readthedocs.io/en/latest/installation/. Accessed 24 May 2020
CuckooDROiD (2014) What is Cuckoo? — CuckooDroid v1.0 Book. https://cuckoo-droid.readthedocs.io/en/latest/introduction/what/. Accessed 24 May 2020
Lerch J, Arzt S, Laverdière MA, Benz M, jtoman (2020) Sable/heros. GitHub. https://github.com/Sable/heros. Accessed 24 May 2020
3 Reasons mobile app security should be a top priority. Zimperium Mobile Security Blog (14 April 2020). https://blog.zimperium.com/3-reasons-mobile-app-security-should-be-a-top-priority/. Accessed 23 May 23
Alzubaidi A, Roy S, Kalita J (2019) A data reduction scheme for active authentication of legitimate smartphone owner using informative apps ranking. Digit Commun Networks 5(4):205–213. https://doi.org/10.1016/j.dcan.2018.09.001
Atkinson JS, Mitchell JE, Rio M, Matich G (2018) Your WiFi is leaking: what do your mobile apps gossip about you? Future Gener Comput Syst 80:546–557. https://doi.org/10.1016/j.future.2016.05.030
Kong P, Li L, Gao J, Liu K, Bissyandé TF, Klein J (2019) Automated testing of android apps: a systematic literature review. IEEE Trans Reliab 68(1):45–66. https://doi.org/10.1109/TR.2018.2865733
Li L, Bissyandé TF, Octeau D, Klein J (2016) Reflection-aware static analysis of Android apps. In: 2016 31st IEEE/ACM international conference on automated software engineering (ASE), pp 756–761
Fratantonio Y, Bianchi A, Robertson W, Kirda E, Kruegel C, Vigna G (2016) TriggerScope: towards detecting logic bombs in android applications. In: 2016 IEEE Symposium on Security and Privacy (SP), May 2016, pp 377–396. https://doi.org/10.1109/sp.2016.30
Reaves B et al (Oct 2016) *droid: assessment and evaluation of android application analysis tools. ACM Comput Surv 49(3):55:1–55:30. https://doi.org/10.1145/2996358
Qiu L, Wang Y, Rubin J (2018) Analyzing the analyzers: FlowDroid/IccTA, AmanDroid, and DroidSafe. In: Proceedings of the 27th ACM SIGSOFT international symposium on software testing and analysis, Amsterdam, Netherlands, Jul 2018, pp 176–186. https://doi.org/10.1145/3213846.3213873
Lhoták O, Bartel A, Arzt S, Benz M (2020) Sable/jasmin. Sable Research Group
Bodden E (14 Jan 2020) Example: using heros with soot. GitHub. https://github.com/Sable/heros. Accessed 24 May 2020
Bhosale AS (2014) Precise static analysis of taint flow for android application sets. Carnegie Mellon University
Lantz P (2015) Droidbox 4.1.1. GitHub. https://github.com/pjlantz/droidbox. Accessed 24 May 2020
Mila (19 Apr 2020) KPOT info stealer samples. Contagio. http://contagiodump.blogspot.com/2020/04/kpot-info-stealer-samples.html. Accessed 24 May 2020
Abraham A, Schlecht D, Ma G, Dobrushin M, Nadal V (2020) Mobile security framework (MobSF). Mobile Security Framework
Ashour SA, Stotz J, Donlon (2020) Dex to Java decompiler
CuckooDROiD (2020) Dalvik monitoring framework for CuckooDroid
rovo89 Xposed Installer | xposed module repository. https://repo.xposed.info/module/de.robv.android.xposed.installer. Accessed 24 May 2020
Spreitzenbarth M, Schreck T, Echtler F, Arp D, Hoffmann J (2015) Mobile-sandbox: combining static and dynamic analysis with machine-learning techniques. Int J Inf Secur 14(2):141–153. https://doi.org/10.1007/s10207-014-0250-0
Einarsson A, Nielsen JD (17 Jul 2008) A survivor’s guide to java program analysis with Soot. https://www.brics.dk/SootGuide/. Accessed 24 May 2020
Talukder M, Shahriar H, Haddad H (2019) Point-of-sale device attacks and mitigation approaches for cyber-physical systems. In: Cybersecurity and privacy in cyber physical systems, CRC Press, pp 368–383
Arzt S (2016) Static data flow analysis for android applications. Technische Universitat Darmstadt
Talukder MAI et al (Jul 2009) DroidPatrol: a static analysis plugin for secure mobile software development. In: 2019 IEEE 43rd annual computer software and applications conference (COMPSAC), vol 1, pp 565–569. https://doi.org/10.1109/compsac.2019.00087
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Shahriar, H., Zhang, C., Talukder, M.A., Islam, S. (2021). Mobile Application Security Using Static and Dynamic Analysis. In: Maleh, Y., Shojafar, M., Alazab, M., Baddi, Y. (eds) Machine Intelligence and Big Data Analytics for Cybersecurity Applications. Studies in Computational Intelligence, vol 919. Springer, Cham. https://doi.org/10.1007/978-3-030-57024-8_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-57024-8_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-57023-1
Online ISBN: 978-3-030-57024-8
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)