Skip to main content
SpringerLink
Log in

APPregator: A Large-Scale Platform for Mobile Security Analysis

  • Conference paper
  • First Online:
Testing Software and Systems (ICTSS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 12543))

Included in the following conference series:

  • 848 Accesses

Abstract

The Google Play Store currently includes up to 2.8M apps. Nonetheless, it is rather straightforward for a user to quickly retrieve the app that matches her tastes, as Google provides a reliable search engine. However, it is likewise almost impossible to select apps according to a security footprint (e.g., all apps that enforce SSL pinning). To overcome this limitation, this paper presents APPregator, a platform which allows security analysts to i) download apps from multiple app stores, ii) perform automated security analysis (both static and dynamic), and iii) aggregate the results according to user-defined security constraints (e.g., vulnerability patterns).

The empirical assessment of APPregator on a set of 200.000 apps taken from the Google Play Store and Aptoide suggests that the current implementation grants a good level of performance and reliability. APPregator will be made freely available to the research community by the end of 2020.

This work was partially funded by the Horizon 2020 project “Strategic Programs for Advanced Research and Technology in Europe” (SPARTA).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/facundoolano/google-play-scraper.

  2. 2.

    https://www.npmjs.com/package/query-to-mongo.

References

  1. Apktool. https://ibotpeaches.github.io/Apktool/. Accessed 27 May 2020

  2. App brain. https://www.appbrain.com/. Accessed 27 May 2020

  3. Appannie. https://www.appannie.com/. Accessed 27 May 2020

  4. Aptoide. https://en.aptoide.com/. Accessed 27 May 2020

  5. Aptoide api. https://co.aptoide.com/webservices/docs/7/apps/search. Accessed 27 May 2020

  6. Best practices for unique identifiers. https://developer.android.com/training/articles/user-data-ids. Accessed 27 May 2020

  7. Dex2jar. https://github.com/pxb1988/dex2jar. Accessed 27 May 2020

  8. Docker. https://www.docker.com/. Accessed 27 May 2020

  9. Google trends. https://trends.google.it/trends. Accessed 27 May 2020

  10. Google’s vulnerability disclosure policy. https://www.google.com/about/appsecurity/. Accessed 27 May 2020

  11. Jadx. https://github.com/skylot/jadx. Accessed 27 May 2020

  12. Monkey runner. https://developer.android.com/studio/test/monkeyrunner/. Accessed 27 May 2020

  13. Owasp mobile top 10. https://owasp.org/www-project-mobile-top-10/. Accessed 27 May 2020

  14. Smali. https://github.com/JesusFreke/smali/wiki. Accessed 27 May 2020

  15. Talos sec. https://talos-sec.com/. Accessed 27 May 2020

  16. Tencent. https://intl.cloud.tencent.com/. Accessed 27 May 2020

  17. Allix, K., Bissyandé, T., Klein, J., Le Traon, Y.: AndroZoo: collecting millions of Android apps for the research community (2016)

    Google Scholar 

  18. Aonzo, S., Georgiu, G.C., Verderame, L., Merlo, A.: Obfuscapk: an open-source black-box obfuscation tool for android apps. SoftwareX 11, 100403 (2020). https://doi.org/10.1016/j.softx.2020.100403. http://www.sciencedirect.com/science/article/pii/S2352711019302791

  19. Armando, A., Costa, G., Merlo, A., Verderame, L.: Enabling byod through secure meta-market. In: WiSec 2014, New York, NY, USA. Association for Computing Machinery (2014)

    Google Scholar 

  20. Armando, A., Pellegrino, G., Carbone, R., Merlo, A., Balzarotti, D.: From model-checking to automated testing of security protocols: bridging the gap. In: Brucker, A.D., Julliand, J. (eds.) Tests and Proofs, pp. 3–18. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30473-6_3

    Chapter  Google Scholar 

  21. Arzt, S., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Notices 49, 259–269 (2014)

    Article  Google Scholar 

  22. Backes, M., Bugiel, S., Derr, E.: Reliable third-party library detection in android and its security applications (2016)

    Google Scholar 

  23. Chan, P.P., Hui, L.C., Yiu, S.M.: Droidchecker: analyzing android applications for capability leak. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks (2012)

    Google Scholar 

  24. Derr, E.: The impact of third-party code on android app security. In: Enigma 2018 (Enigma 2018). USENIX Association (2018)

    Google Scholar 

  25. Egelman, S.: Ad ids behaving badly. Technical report (2019)

    Google Scholar 

  26. Enck, W., et al.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Tran. Comput. Syst. (TOCS) 32, 1–29 (2014)

    Article  Google Scholar 

  27. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: An analysis of android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security. CCS 2012, New York, NY, USA. Association for Computing Machinery (2012)

    Google Scholar 

  28. Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android applications. Manuscript, Univ. of Maryland. https://www.cs.umd.edu/avik/projects/scandroidascaa (2009)

  29. Geiger, F.X., Malavolta, I.: Datasets of android applications: a literature review (2018)

    Google Scholar 

  30. Gordon, M.I., Kim, D., Perkins, J.H., Gilham, L., Nguyen, N., Rinard, M.C.: Information flow analysis of android applications in droidsafe. In: NDSS (2015)

    Google Scholar 

  31. Huang, J., Zhang, X., Tan, L., Wang, P., Liang, B.: Asdroid: detecting stealthy behaviors in android applications by user interface and program behavior contradiction. In: Proceedings of the 36th International Conference on Software Engineering (2014)

    Google Scholar 

  32. Li, L., et al.: Androzoo++: collecting millions of android apps and their metadata for the research community (2017)

    Google Scholar 

  33. Li, Y., Yang, Z., Guo, Y., Chen, X.: Droidbot: a lightweight ui-guided test input generator for android. In: 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C). IEEE (2017)

    Google Scholar 

  34. Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (2012)

    Google Scholar 

  35. Meng, G., Xue, Y., Siow, J., Su, T., Narayanan, A., Liu, Y.: Androvault: constructing knowledge graph from millions of android apps for automated computing (2017)

    Google Scholar 

  36. NIST: Mobile threat catalogue. https://pages.nist.gov/mobile-threat-catalogue (2018). Accessed Sept 2020

  37. OWASP: OWASP mobile security testing guide (2020). https://owasp.org/www-project-mobile-security-testing-guide/. Accessed Sept 2020

  38. Platzer, C., et al.: Andrubis - 1,000,000 apps later: a view on current android malware behaviors (2014)

    Google Scholar 

  39. Tam, K., Khan, S.J., Fattori, A., Cavallaro, L.: Copperdroid: automatic reconstruction of android malware behaviors. In: NDSS (2015)

    Google Scholar 

  40. Verderame, L., Caputo, D., Romdhana, A., Merlo, A.: On the (un)reliability of privacy policies in android apps. In: Proceedings of the IEEE International Joint Conference on Neural Networks (IJCNN 2020) (2020)

    Google Scholar 

  41. Wei, F., Roy, S., Ou, X.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014)

    Google Scholar 

  42. Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: Profiledroid: multi-layer profiling of android applications. In: Proceedings of the 18th Annual International Conference on Mobile Computing and Networking (2012)

    Google Scholar 

  43. Xia, M., Gong, L., Lyu, Y., Qi, Z., Liu, X.: Effective real-time android application auditing. In: 2015 IEEE Symposium on Security and Privacy. IEEE (2015)

    Google Scholar 

  44. Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: DroidMiner: automated mining and characterization of fine-grained malicious behaviors in android applications. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 163–182. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11203-9_10

    Chapter  Google Scholar 

  45. Yang, W., Xiao, X., Andow, B., Li, S., Xie, T., Enck, W.: Appcontext: differentiating malicious and benign mobile app behaviors using context. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, vol. 1. IEEE (2015)

    Google Scholar 

  46. Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: Appintent: analyzing sensitive data transmission in android for privacy leakage detection. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DIBRIS, University of Genoa, Genoa, Italy

    Luca Verderame, Davide Caputo, Andrea Romdhana & Alessio Merlo

  2. Security & Trust Unit, FBK-ICT, Trento, Italy

    Andrea Romdhana

Authors
  1. Luca Verderame
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Davide Caputo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrea Romdhana
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alessio Merlo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alessio Merlo .

Editor information

Editors and Affiliations

  1. University of Naples Federico II, Naples, Italy

    Valentina Casola

  2. University of Naples Federico II, Naples, Italy

    Alessandra De Benedictis

  3. University of Campania "Luigi Vanvitelli", Aversa, Italy

    Massimiliano Rak

Rights and permissions

Reprints and permissions

Copyright information

© 2020 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Verderame, L., Caputo, D., Romdhana, A., Merlo, A. (2020). APPregator: A Large-Scale Platform for Mobile Security Analysis. In: Casola, V., De Benedictis, A., Rak, M. (eds) Testing Software and Systems. ICTSS 2020. Lecture Notes in Computer Science(), vol 12543. Springer, Cham. https://doi.org/10.1007/978-3-030-64881-7_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-64881-7_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64880-0

  • Online ISBN: 978-3-030-64881-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation