• Skip to main content
  • Skip to after header navigation
  • Skip to site footer
ERN: Emerging Researchers National Conference in STEM

ERN: Emerging Researchers National Conference in STEM

  • About
    • About AAAS
    • About the NSF
    • About the Conference
    • Partners/Supporters
    • Project Team
  • Conference
  • Abstracts
    • Undergraduate Abstract Locator
    • Graduate Abstract Locator
    • Abstract Submission Process
    • Presentation Schedules
    • Abstract Submission Guidelines
    • Presentation Guidelines
  • Travel Awards
  • Resources
    • Award Winners
    • Code of Conduct-AAAS Meetings
    • Code of Conduct-ERN Conference
    • Conference Agenda
    • Conference Materials
    • Conference Program Books
    • ERN Photo Galleries
    • Events | Opportunities
    • Exhibitor Info
    • HBCU-UP/CREST PI/PD Meeting
    • In the News
    • NSF Harassment Policy
    • Plenary Session Videos
    • Professional Development
    • Science Careers Handbook
    • Additional Resources
    • Archives
  • Engage
    • Webinars
    • ERN 10-Year Anniversary Videos
    • Plenary Session Videos
  • Contact Us
  • Login

Secure Android Coding Helper (SACH): Static Analysis Tool to Encourage Proper Android Application Development

Undergraduate #176
Discipline: Computer Sciences and Information Management
Subcategory: Computer Science & Information Systems

Aakiel Abernathy - North Carolina Agricultural & Technical State University
Co-Author(s): Trenton Samuda, North Carolina Agricultural & Technical State University, Greensboro, NC



Technology is becoming more advanced, including mobile devices people use every day. These hand held machines are being used to access more sensitive data, such as bank accounts, medical records, and other personal documents. Because of this, it is imperative that application developers for such devices focus on security issues such as sensitive data leaks, access control vulnerabilities, etc. Static analysis tools have been used to analyze mobile applications to determine data leakage or access control vulnerability. FindBugs (Ayewah, Pugh, Morgenthaler, n Penix, & Zhou, 2007) analyzes java source code in order to find programming defects, and has the ability to report almost 300 different bug patterns. COPES [Bartel, 2012] detects permission gaps that occur when an application is given more permission than needed to perform a certain task. Brox [Siyuan, 2013] detects when an application demands deviceID, location, and contact information that later is sent via SMS or network. LeakMiner [ZheMin, 2012] detects when an application demands deviceID, location, contact information, calendar, or SMS and sends information to log files. Flowdroid [Artz, 2014] analyzes applications statically using taint analysis to detect sensitive data leakage. TaintDroid [Enck, 2014] identifies when sensitive data is leaking from the system with the aid of a third party application.

While these tools were developed for detecting mobile malware, we propose to develop a static analysis tool that helps application developers for mobile platform to develop secure Android applications. Such a tool will increase Programmer’s awareness of insecure android coding practices. We are developing the tool Secure Android Coding Helper (SACH) which scans the source code and Android .apk file, and gives warnings of insecure coding practices to the programmer. SACH utilizes the open source tool Flowdroid to detect sensitive data leakage, and implements functions to scan for security vulnerabilities according to the CERT secure coding rules for Android Application development [Seacord, 2013]. SACH implements a two-step process. The first step is to run Flowdroid on the .apk file and parse the results and look for device ID, GPS location data leaked to a log file or through implicit intent. The second step is to parse the source code and the XML file to report key design vulnerabilities based on the CERT rules. The results from both steps are then combined in a report that will inform the developer of potential risks in their application. We have implemented SACH as well as a user-friendly graphically user interface for SACH. We are conducting extensive testing of SACH on Android programs to measure the performance of SACH. The future plan is to improve the performance of SACH such as reducing false positive or false negative, implement ways to inform the developer on how to fix detected vulnerabilities, and add more functions to SACH as more rules are added to the CERT secure coding rules for Android Application development.

Funder Acknowledgement(s): This work is partially supported by NSF HBCU-UP project (HRD-1332504).

Faculty Advisor: Dorothy Yuan,

Sidebar

Abstract Locators

  • Undergraduate Abstract Locator
  • Graduate Abstract Locator

This material is based upon work supported by the National Science Foundation (NSF) under Grant No. DUE-1930047. Any opinions, findings, interpretations, conclusions or recommendations expressed in this material are those of its authors and do not represent the views of the AAAS Board of Directors, the Council of AAAS, AAAS’ membership or the National Science Foundation.

AAAS

1200 New York Ave, NW
Washington,DC 20005
202-326-6400
Contact Us
About Us

  • LinkedIn
  • Facebook
  • Instagram
  • Twitter
  • YouTube

The World’s Largest General Scientific Society

Useful Links

  • Membership
  • Careers at AAAS
  • Privacy Policy
  • Terms of Use

Focus Areas

  • Science Education
  • Science Diplomacy
  • Public Engagement
  • Careers in STEM

Focus Areas

  • Shaping Science Policy
  • Advocacy for Evidence
  • R&D Budget Analysis
  • Human Rights, Ethics & Law

© 2023 American Association for the Advancement of Science