Discipline: Computer Sciences and Information Management
Subcategory: Computer Science & Information Systems
Aakiel Abernathy - North Carolina Agricultural & Technical State University
Co-Author(s): Trenton Samuda, North Carolina Agricultural & Technical State University, Greensboro, NC
Technology is becoming more advanced, including mobile devices people use every day. These hand held machines are being used to access more sensitive data, such as bank accounts, medical records, and other personal documents. Because of this, it is imperative that application developers for such devices focus on security issues such as sensitive data leaks, access control vulnerabilities, etc. Static analysis tools have been used to analyze mobile applications to determine data leakage or access control vulnerability. FindBugs (Ayewah, Pugh, Morgenthaler, n Penix, & Zhou, 2007) analyzes java source code in order to find programming defects, and has the ability to report almost 300 different bug patterns. COPES [Bartel, 2012] detects permission gaps that occur when an application is given more permission than needed to perform a certain task. Brox [Siyuan, 2013] detects when an application demands deviceID, location, and contact information that later is sent via SMS or network. LeakMiner [ZheMin, 2012] detects when an application demands deviceID, location, contact information, calendar, or SMS and sends information to log files. Flowdroid [Artz, 2014] analyzes applications statically using taint analysis to detect sensitive data leakage. TaintDroid [Enck, 2014] identifies when sensitive data is leaking from the system with the aid of a third party application.
While these tools were developed for detecting mobile malware, we propose to develop a static analysis tool that helps application developers for mobile platform to develop secure Android applications. Such a tool will increase Programmer’s awareness of insecure android coding practices. We are developing the tool Secure Android Coding Helper (SACH) which scans the source code and Android .apk file, and gives warnings of insecure coding practices to the programmer. SACH utilizes the open source tool Flowdroid to detect sensitive data leakage, and implements functions to scan for security vulnerabilities according to the CERT secure coding rules for Android Application development [Seacord, 2013]. SACH implements a two-step process. The first step is to run Flowdroid on the .apk file and parse the results and look for device ID, GPS location data leaked to a log file or through implicit intent. The second step is to parse the source code and the XML file to report key design vulnerabilities based on the CERT rules. The results from both steps are then combined in a report that will inform the developer of potential risks in their application. We have implemented SACH as well as a user-friendly graphically user interface for SACH. We are conducting extensive testing of SACH on Android programs to measure the performance of SACH. The future plan is to improve the performance of SACH such as reducing false positive or false negative, implement ways to inform the developer on how to fix detected vulnerabilities, and add more functions to SACH as more rules are added to the CERT secure coding rules for Android Application development.
Funder Acknowledgement(s): This work is partially supported by NSF HBCU-UP project (HRD-1332504).
Faculty Advisor: Dorothy Yuan,