Abstract
The Google Play Store currently includes up to 2.8M apps. Nonetheless, it is rather straightforward for a user to quickly retrieve the app that matches her tastes, as Google provides a reliable search engine. However, it is likewise almost impossible to select apps according to a security footprint (e.g., all apps that enforce SSL pinning). To overcome this limitation, this paper presents APPregator, a platform which allows security analysts to i) download apps from multiple app stores, ii) perform automated security analysis (both static and dynamic), and iii) aggregate the results according to user-defined security constraints (e.g., vulnerability patterns).
The empirical assessment of APPregator on a set of 200.000 apps taken from the Google Play Store and Aptoide suggests that the current implementation grants a good level of performance and reliability. APPregator will be made freely available to the research community by the end of 2020.
This work was partially funded by the Horizon 2020 project “Strategic Programs for Advanced Research and Technology in Europe” (SPARTA).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Apktool. https://ibotpeaches.github.io/Apktool/. Accessed 27 May 2020
App brain. https://www.appbrain.com/. Accessed 27 May 2020
Appannie. https://www.appannie.com/. Accessed 27 May 2020
Aptoide. https://en.aptoide.com/. Accessed 27 May 2020
Aptoide api. https://co.aptoide.com/webservices/docs/7/apps/search. Accessed 27 May 2020
Best practices for unique identifiers. https://developer.android.com/training/articles/user-data-ids. Accessed 27 May 2020
Dex2jar. https://github.com/pxb1988/dex2jar. Accessed 27 May 2020
Docker. https://www.docker.com/. Accessed 27 May 2020
Google trends. https://trends.google.it/trends. Accessed 27 May 2020
Google’s vulnerability disclosure policy. https://www.google.com/about/appsecurity/. Accessed 27 May 2020
Jadx. https://github.com/skylot/jadx. Accessed 27 May 2020
Monkey runner. https://developer.android.com/studio/test/monkeyrunner/. Accessed 27 May 2020
Owasp mobile top 10. https://owasp.org/www-project-mobile-top-10/. Accessed 27 May 2020
Smali. https://github.com/JesusFreke/smali/wiki. Accessed 27 May 2020
Talos sec. https://talos-sec.com/. Accessed 27 May 2020
Tencent. https://intl.cloud.tencent.com/. Accessed 27 May 2020
Allix, K., Bissyandé, T., Klein, J., Le Traon, Y.: AndroZoo: collecting millions of Android apps for the research community (2016)
Aonzo, S., Georgiu, G.C., Verderame, L., Merlo, A.: Obfuscapk: an open-source black-box obfuscation tool for android apps. SoftwareX 11, 100403 (2020). https://doi.org/10.1016/j.softx.2020.100403. http://www.sciencedirect.com/science/article/pii/S2352711019302791
Armando, A., Costa, G., Merlo, A., Verderame, L.: Enabling byod through secure meta-market. In: WiSec 2014, New York, NY, USA. Association for Computing Machinery (2014)
Armando, A., Pellegrino, G., Carbone, R., Merlo, A., Balzarotti, D.: From model-checking to automated testing of security protocols: bridging the gap. In: Brucker, A.D., Julliand, J. (eds.) Tests and Proofs, pp. 3–18. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30473-6_3
Arzt, S., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Notices 49, 259–269 (2014)
Backes, M., Bugiel, S., Derr, E.: Reliable third-party library detection in android and its security applications (2016)
Chan, P.P., Hui, L.C., Yiu, S.M.: Droidchecker: analyzing android applications for capability leak. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks (2012)
Derr, E.: The impact of third-party code on android app security. In: Enigma 2018 (Enigma 2018). USENIX Association (2018)
Egelman, S.: Ad ids behaving badly. Technical report (2019)
Enck, W., et al.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Tran. Comput. Syst. (TOCS) 32, 1–29 (2014)
Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: An analysis of android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security. CCS 2012, New York, NY, USA. Association for Computing Machinery (2012)
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android applications. Manuscript, Univ. of Maryland. https://www.cs.umd.edu/avik/projects/scandroidascaa (2009)
Geiger, F.X., Malavolta, I.: Datasets of android applications: a literature review (2018)
Gordon, M.I., Kim, D., Perkins, J.H., Gilham, L., Nguyen, N., Rinard, M.C.: Information flow analysis of android applications in droidsafe. In: NDSS (2015)
Huang, J., Zhang, X., Tan, L., Wang, P., Liang, B.: Asdroid: detecting stealthy behaviors in android applications by user interface and program behavior contradiction. In: Proceedings of the 36th International Conference on Software Engineering (2014)
Li, L., et al.: Androzoo++: collecting millions of android apps and their metadata for the research community (2017)
Li, Y., Yang, Z., Guo, Y., Chen, X.: Droidbot: a lightweight ui-guided test input generator for android. In: 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C). IEEE (2017)
Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (2012)
Meng, G., Xue, Y., Siow, J., Su, T., Narayanan, A., Liu, Y.: Androvault: constructing knowledge graph from millions of android apps for automated computing (2017)
NIST: Mobile threat catalogue. https://pages.nist.gov/mobile-threat-catalogue (2018). Accessed Sept 2020
OWASP: OWASP mobile security testing guide (2020). https://owasp.org/www-project-mobile-security-testing-guide/. Accessed Sept 2020
Platzer, C., et al.: Andrubis - 1,000,000 apps later: a view on current android malware behaviors (2014)
Tam, K., Khan, S.J., Fattori, A., Cavallaro, L.: Copperdroid: automatic reconstruction of android malware behaviors. In: NDSS (2015)
Verderame, L., Caputo, D., Romdhana, A., Merlo, A.: On the (un)reliability of privacy policies in android apps. In: Proceedings of the IEEE International Joint Conference on Neural Networks (IJCNN 2020) (2020)
Wei, F., Roy, S., Ou, X.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014)
Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: Profiledroid: multi-layer profiling of android applications. In: Proceedings of the 18th Annual International Conference on Mobile Computing and Networking (2012)
Xia, M., Gong, L., Lyu, Y., Qi, Z., Liu, X.: Effective real-time android application auditing. In: 2015 IEEE Symposium on Security and Privacy. IEEE (2015)
Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: DroidMiner: automated mining and characterization of fine-grained malicious behaviors in android applications. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 163–182. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11203-9_10
Yang, W., Xiao, X., Andow, B., Li, S., Xie, T., Enck, W.: Appcontext: differentiating malicious and benign mobile app behaviors using context. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, vol. 1. IEEE (2015)
Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: Appintent: analyzing sensitive data transmission in android for privacy leakage detection. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 IFIP International Federation for Information Processing
About this paper
Cite this paper
Verderame, L., Caputo, D., Romdhana, A., Merlo, A. (2020). APPregator: A Large-Scale Platform for Mobile Security Analysis. In: Casola, V., De Benedictis, A., Rak, M. (eds) Testing Software and Systems. ICTSS 2020. Lecture Notes in Computer Science(), vol 12543. Springer, Cham. https://doi.org/10.1007/978-3-030-64881-7_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-64881-7_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64880-0
Online ISBN: 978-3-030-64881-7
eBook Packages: Computer ScienceComputer Science (R0)