Objectives

• Explore the comprehensive taxonomy of existing app vulnerabilities and build an app vulnerability analysis baseline
   
• Evaluate the capability of different existing techniques towards vulnerability detection in specialized domains
   
• Develop a domain-aware compositional vulnerability detection framework which is more scalable and more accurate
   

Existing Solutions and Their Limitations

• Use generic syntax-based scanning and pattern matching
   
• Output a lot of false positives
   
• Cannot detect most of the data leakage-related vulnerabilities
   

Outcomes/Deliverables

• Vulnerability knowledge base construction
   
  • Design knowledge base schema and meta-model
     
  • Large-scale apps collection and labelling (semi-automatic)
     
  • Evaluation of the existing vulnerability detection techniques
     
• Compositional vulnerability detection guided by the knowledge base
   
  • Implement domain-specific analysis (source/library/native)
     
  • Aggregation of global analysis results

​

Practical Applications and Impact

• Integrated as a part of an app screening pipeline
   
• Detecting data leakage vulnerabilities in the real banking apps