Empirical Software Engineering

, Volume 24, Issue 4, pp 2056–2101 | Cite as

The Android OS stack and its vulnerabilities: an empirical study

  • Alejandro Mazuera-Rozo
  • Jairo Bautista-Mora
  • Mario Linares-VásquezEmail author
  • Sandra Rueda
  • Gabriele Bavota


The wide and rapid adoption of Android-based devices in the last years has motivated the usage of Android apps to support a broad range of daily activities. In that sense, being the most popular mobile platform makes it an attractive target for security attacks. In fact, 1,489 security vulnerabilities have been reported in the last three years (2015-2017) for the Android OS (which is the underlying platform for Android-based devices). While there is a plethora of approaches and tools for detecting malware and security issues in Android apps, few research has been done to identify, categorize, or detect vulnerabilities in the Android OS. In this paper we present the largest study so far aimed at analyzing software vulnerabilities in the Android OS. In particular, we analyzed a total of 1,235 vulnerabilities from four different perspectives: vulnerability types and their evolution, CVSS vectors that describe the vulnerabilities, impacted Android OS layers, and their survivability across the Android OS history. Based on our findings, we propose a list of future actions that could be performed by researchers and practitioners to reduce the number of vulnerabilities in the Android OS as well as their impact and survivability.


Vulnerabilities Android Empirical study Operating system 



  1. Aosp commit cf1581c66c2ad8c5b1aaca2e43e350cf5974f46d (2017a)
  2. Aosp commit 8ec845c8fe0f03bc57c901bc484541bdd6a7cf80 (2017b)
  3. Aosp commit edd4a76eb4747bd19ed122df46fa46b452c12a0d (2017c)
  4. Ahmad W, Kästner C, Sunshine J, Aldrich J (2016) Inter-app communication in android: Developer challenges. In: Proceedings of the 13th international conference on mining software repositories, MSR ’16. ACM, New York, pp 177–188.
  5. Anderson B, et al. (2016) Hpe security research. cyber risk report 2016. Tech. rep., Hewlett PackardGoogle Scholar
  6. Armis (2017) The attack vector “blueborne” exposes almost every connected device.
  7. Arzt S, Rasthofer S, Fritz C, Bodden E, Bartel A, Klein J, Le Traon Y, Octeau D, McDaniel P (2014) Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’14. ACM, New York, pp 259–269.
  8. Avdiienko V, Kuznetsov K, Gorla A, Zeller A, Arzt S, Rasthofer S, Bodden E (2015) Mining apps for abnormal usage of sensitive data. In: ICSE’15, pp 426–436.
  9. Backes M, Bugiel S, Derr E (2016) Reliable third-party library detection in android and its security applications. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, CCS ’16. ACM, New York, pp 356–367.
  10. Bagheri H, Kang E, Malek S, Jackson D (In Press) A formal approach for detection of security flaws in the android permission system. Springer Journal on Formal Aspects of ComputingGoogle Scholar
  11. Bagheri H, Sadeghi A, Garcia J, Malek S (2015) Covert: compositional analysis of android inter-app permission leakage. IEEE Trans Softw Eng 41(9):866–886. CrossRefGoogle Scholar
  12. Beres D (2015) ‘cowboy adventure’ game infects up to 1 million android users with malware.
  13. Bhosale A (2014) Precise static analysis of taint flow for android application sets. Master’s thesis, Heinz College Carnegie Mellon UniversityGoogle Scholar
  14. Burgess M (2016) Millions of android devices vulnerable to new stagefright exploit.
  15. Cao C, Gao N, Liu P, Xiang J (2015) Towards analyzing the input validation vulnerabilities associated with android system services. In: Proceedings of the 31st annual computer security applications conference, ACSAC 2015. ACM, New York, pp 361–370.
  16. Castellanos JH, Wuchner T, Ochoa M, Rueda S (2016) Q-floid: Android malware detection with quantitative data flow graphs. In: Singapore cyber-security conference (SG-CRC). IOS Press, pp 13–26Google Scholar
  17. Christensen R (2011) Plane Answers to Complex Questions: The Theory of Linear models, 4th edn. Springer Texts in Statistics Springer, BerlinCrossRefzbMATHGoogle Scholar
  18. Conover WJ (1998) Practical Nonparametric Statistics, 3rd edn. Wiley, New YorkGoogle Scholar
  19. Corporation M (2017) Cve common vulnerabilities and exposures.
  20. Cumming G (2011) Introduction to the new Statistics: Effect sizes, confidence intervals, and Meta-Analysis. Routledge, EvanstonGoogle Scholar
  21. Dimjaševic M, Atzeni S, Ugrina I, Rakamaric Z (2015) Android malware detection based on system callsGoogle Scholar
  22. Drake JJ, Lanier Z, Mulliner C, Fora PO, Ridley SA, Wicherski G (2014) Android hacker’s handbook. Wiley, New YorkGoogle Scholar
  23. Enck W, Gilbert P, Chun BG, Cox L, Jung J, McDaniel P, Sheth AN (2010) Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX conference on operating systems design and implementation, OSDI’10. USENIX Association, Berkeley, pp 393–407.
  24. Enck W, Ongtang M, McDaniel P (2009) On lightweight mobile phone application certification. In: Proceedings of the 16th ACM conference on computer and communications security, CCS ’09. ACM, New York, pp 235–245.
  25. Fahl S, Harbach M, Muders T, Baumgärtner L., Freisleben B, Smith M (2012) Why eve and mallory love android: an analysis of android ssl (in)security. In: Proceedings of the 2012 ACM conference on computer and communications security, CCS ’12. ACM, New York, pp 50–61.
  26. Fattori A, Tam K, Khan SJ, Cavallaro L, Reina A (2014) CopperDroid: On the Reconstruction of Android Malware Behaviors. Tech. rep. Royal Holloway University of LondonGoogle Scholar
  27. FIRST Organization (2019) Common vulnerability scoring system sig.
  28. for Standardization IO (2011) Iso 27005 information security risk managementGoogle Scholar
  29. Garcia J, Hammad M, Ghorbani N, Malek S (2017) Automatic generation of inter-component communication exploits for android applications. In: Proceedings of the 2017 11th joint meeting on foundations of software engineering, ESEC/FSE 2017. ACM, New York, pp 661–671.
  30. Gasior W, Yang L (2012) Exploring covert channel in android platform. In: 2012 international conference on cyber security, pp 173–177.
  31. Ghafari M, Gadient P, Nierstrasz O (2017) Security smells in android. In: 2017 IEEE 17th international working conference on source code analysis and manipulation (SCAM), pp 121–130.
  32. Gilbert P, Chun BG, Cox LP, Jung J (2011) Vision: automated security validation of mobile apps at app markets. In: Proceedings of the second international workshop on mobile cloud computing and services, MCS ’11. ACM, New York, pp 21–26.
  33. Gorla A, Tavecchia I, Gross F, Zeller A (2014) Checking app behavior against app descriptions. In: ICSE’14, pp 1025–1035.
  34. Google (2017a) Android security bulletins.
  35. Google (2017b) Platform architecture.
  36. Graf J, Hecker MMM (2015) Jodroid: Adding android support to a static information flow control tool. In: Working conference on programming languagesGoogle Scholar
  37. Grissom RJ, Kim JJ (2005) Effect sizes for research: a broad practical approach, 2nd edn. Lawrence Earlbaum Associates, New JerseyGoogle Scholar
  38. Hedges LV, Olkin I (1985) Statistical methods for Meta-Analysis. Academic Press, New YorkzbMATHGoogle Scholar
  39. Herzig K, Zeller A (2013) The impact of tangled code changes. In: Proceedings of the 10th Working Conference on Mining Software Repositories, MSR ’13, San Francisco, pp 121–130Google Scholar
  40. Holm S (1979) A simple sequentially rejective Bonferroni test procedure. Scand J Stat 6:65–70zbMATHGoogle Scholar
  41. Huang H, Zhu S, Chen K, Liu P (2015) From system services freezing to system server shutdown in android: All you need is a loop in an app. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, CCS ’15. ACM, New York, pp 1236–1247.
  42. Jimenez M, Papadakis M, Bissyandé TF, Klein J (2016) Profiling android vulnerabilities. In: 2016 IEEE International conference on software quality, reliability and security (QRS), pp 222–229.
  43. Kantola D, Chin E, He W, Wagner D (2012) Reducing attack surfaces for intra-application communication in android. In: Proceedings of the second ACM workshop on security and privacy in smartphones and mobile devices, SPSM ’12. ACM, New York, pp 69–80.
  44. Kim S, James Whitehead Jr E, Zhang Y (2008) Classifying software changes: clean or buggy? IEEE Trans Softw Eng 34(2):181–196Google Scholar
  45. Lal S, Sureka A (2012) Comparison of seven bug report types: a case-study of google chrome browser project. In: 2012 19th asia-pacific software engineering conference, vol 1, pp 517–526.
  46. Lee S, Hwang S, Ryu S (2017) All about activity injection: Threats, semantics, and detection. In: Proceedings of the 32nd IEEE/ACM international conference on automated software engineering, ASE 2017. IEEE Press, Piscataway, pp 252–262.
  47. Li GK (2010) Computing inter-rater reliability and its variance in the presence of high agreement. Br J Math Stat Psychol 61(1):29–48. MathSciNetGoogle Scholar
  48. Linares-Vásquez M, Bavota G, Escobar-Velásquez C (2017) An empirical study on android-related vulnerabilities. In: Proceedings of the 14th international conference on mining software repositories, MSR ’17. IEEE Press, Piscataway, pp 2–13.
  49. LLC PI (2014) The security impact of mobile device use by employees. Tech. rep., Ponemon InstituteGoogle Scholar
  50. Lu L, Li Z, Wu Z, Lee W, Jiang G (2012) Chex: statically vetting android apps for component hijacking vulnerabilities. In: ACM Conference on computer and communications security, pp 229–240Google Scholar
  51. Mazuera-Rozo A, Bautista-Mora J, Linares-Vásquez M, Rueda S, Bavota G (2017) Replication package: “The Android OS Stack and its Vulnerabilities: An Empirical Study”.
  52. Mell P, Scarfone K, Romanosky S (2007) A Complete Guide to the Common Vulnerability Scoring System Version 2.0, 2.0 ednGoogle Scholar
  53. MITRE (2017a) Cwe-120: Buffer copy without checking size of input (‘classic buffer overflow’).
  54. MITRE (2017b) Cwe-121: Stack-based buffer overflow.
  55. MITRE (2017c) Cwe-122: Heap-based buffer overflow.
  56. MITRE (2017d) Cwe-190: Integer overflow or wraparound.
  57. MITRE (2017e) Cwe-201: Information exposure through sent data.
  58. MITRE (2017f) Cwe-275: Permission issues.
  59. MITRE (2017g) Cwe-296: Improper following of a certificate’s chain of trust.
  60. MITRE (2017h) Cwe-326: Inadequate encryption strength.
  61. MITRE (2017i) Cwe-327: Use of a broken or risky cryptographic algorithm.
  62. MITRE (2017j) Cwe-415: Double free.
  63. MITRE (2017k) Cwe-787: Out-of-bounds write.
  64. MITRE (2017l) Cwe-840: Business logic errors.
  65. MITRE (2017m) Cwe-862: Missing authorization.
  66. MITRE (2017n) Cwe-909: Missing initialization of resource.
  67. MITRE (2017o) Cwe-94: Improper control of generation of code (’code injection’).
  68. MITRE (2017p) Common weakness enumeration
  69. MITRE (2017q) Cve details Android vulnerabilities.
  70. MITRE (2017r) Cve details.
  71. Morales LV, Rueda SJ (2015) Meaningful permission management in android. IEEE Lat Am Trans 13(4):1160–1166. CrossRefGoogle Scholar
  72. Nickinson P (2015) The ’stagefright’ exploit: what you need to know.
  73. NIST (2015) Common vulnerability scoring system calculator version 2.
  74. NIST (2017) Nvd data feeds{RSS}
  75. Novak E, Tang Y, Hao Z, Li Q, Zhang Y (2015) Physical media covert channels on smart mobile devices. In: Proceedings of the 2015 ACM international joint conference on pervasive and ubiquitous computing, UbiComp ’15. ACM, New York, pp 367–378.
  76. Park Y, Reeves DS (2013) Deriving common malware behavior through graph clustering. Comput Secur 39(PART B):419–430. CrossRefGoogle Scholar
  77. Ren C, Zhang Y, Xue H, Wei T, Liu P (2015) Towards discovering and understanding task hijacking in android. In: Proceedings of the 24th USENIX conference on security symposium, SEC’15. USENIX Association, Berkeley, pp 945–959.
  78. Sadeghi A, Bagheri H, Malek S (2015) Analysis of android inter-app security vulnerabilities using covert. In: ICSE’15, pp 725–728.
  79. Sadeghi A, Bagheri H, Garcia J, Malek S (2016) A taxonomy and qualitative comparison of program analysis techniques for security assessment of android software. IEEE Trans Softw Eng PP(99):1–1. Google Scholar
  80. Sadeghi A, Jabbarvand R, Malek S (2017) Patdroid: Permission-aware gui testing of android. In: Proceedings of the 2017 11th joint meeting on foundations of software engineering, ESEC/FSE 2017. ACM, New York, pp 220–232.
  81. Sbîrlea D, Burke MG, Guarnieri S, Pistoia M, Sarkar V (2013) Automatic detection of inter-application permission leaks in android applications. IBM J Res Dev 57(6):2:10–2:10. CrossRefGoogle Scholar
  82. Sliwerski J, Zimmermann T, Zeller A (2005) When do changes induce fixes? In: Proceedings of the 2005 International Workshop on Mining Software RepositoriesGoogle Scholar
  83. Stefanko L (2015) Aggressive android ransomware spreading in the usa.
  84. Sufatrio Tan DJJ, Chua TW, Thing VLL (2015) Securing android: a survey, taxonomy, and challenges. ACM Comput Surv 47(4):58:1–58:45. Google Scholar
  85. Thomas DR (2015a) The Lifetime of Android API Vulnerabilities: Case Study on the JavaScript-to-Java Interface (Transcript of Discussion). Springer International Publishing, Cham, pp 139–144.
  86. Thomas DR, Beresford AR, Rice A (2015b) Security metrics for the android ecosystem. In: Proceedings of the 5th annual ACM CCS workshop on security and privacy in smartphones and mobile devices, SPSM ’15. ACM, New York, pp 87–98.
  87. Tufano M, Watson C, Bavota G, Di Penta M, White M, Poshyvanyk D (2018) An empirical investigation into learning bug-fixing patches in the wild via neural machine translation. In: Proceedings of the 33rd ACM/IEEE international conference on automated software engineering, ASE 2018. ACM, New York, pp 832–837.
  88. U.S. National Institute of Standards and Technology - NIST (2012) National vulnerability database.
  89. U.S. National Institute of Standards and Technology - NIST (2012) Sp 800-30 guide for conducting risk assessmentsGoogle Scholar
  90. VisionMobile: Developer economics q1 2014 (2014) State of the developer nation. Tech. rep.Google Scholar
  91. Wang K, Zhang Y, Liu P (2016) Call me back!: Attacks on system server and system apps in android through synchronous callback. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, CCS ’16. ACM, New York, pp 92–103.
  92. Weichselbaum L, Neugschwandtner M, Lindorfer M, Fratantonio Y, Veen VVD, Platzer C (2012) ANDRUBIS: Android Malware Under The Magnifying Glass. Tech. rep., Vienna University of Technology.
  93. wiki. L (2015) Android kernel features.
  94. Wikipedia (2017a) Android version history
  95. Wikipedia (2017b) Heartbleed
  96. Wu L, Grace M, Zhou Y, Wu C, Jiang X (2013) The impact of vendor customizations on android security. In: Proceedings of the 2013 ACM SIGSAC conference on computer & communications security, CCS ’13. ACM, New York, pp 623–634.
  97. Xiao X, Tillman N, Fahndrich M, DeHalleux J, Moskal M (2012) User-aware privacy control via extended static-information-flow analysis. In: IEEE/ACM international conference on automated software engineeringGoogle Scholar
  98. Xu M, Song C, Ji Y, Shih MW, Lu K, Zheng C, Duan R, Jang Y, Lee B, Qian C, Lee S, Kim T (2016) Toward engineering a secure android ecosystem: a survey of existing techniques. ACM Comput Surv 49(2):38:1–38:47. CrossRefGoogle Scholar
  99. You W, Liang B, Shi W, Zhu S, Wang P, Xie S, Zhang X (2016) Reference hijacking: Patching, protecting and analyzing on unmodified and non-rooted android devices. In: Proceedings of the 38th international conference on software engineering, ICSE ’16. ACM, New York, pp 959–970.
  100. Zaman S, Adams B, Hassan AE (2011) Security versus performance bugs: a case study on firefox. In: Proceedings of the 8th working conference on mining software repositories, MSR’11. ACM, New York, pp 93–102.
  101. Zhou Y, Jiang X (2012) Android malware genome project.
  102. Zhou Y, Jiang X (2012) Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on security and privacy, pp 95–109.
  103. Zuo C, Wu J, Guo S (2015) Automatically detecting ssl error-handling vulnerabilities in hybrid mobile web apps. In: Proceedings of the 10th ACM symposium on information, computer and communications security, ASIA CCS ’15. ACM, New York, pp 591–596.

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Universidad de los AndesBogotáColombia
  2. 2.Università della Svizzera italianaLuganoSwitzerland

Personalised recommendations