Large-Scale Vulnerability Assessment and Detection for Android Apps

Objectives

  • Explore the comprehensive taxonomy of existing app vulnerabilities and build an app vulnerability analysis baseline
     
  • Evaluate the capability of different existing techniques towards vulnerability detection in specialized domains
     
  • Develop a domain-aware compositional vulnerability detection framework which is more scalable and more accurate
     

Existing Solutions and Their Limitations

  • Use generic syntax-based scanning and pattern matching
     
  • Output a lot of false positives
     
  • Cannot detect most of the data leakage-related vulnerabilities
     

Outcomes/Deliverables

  • Vulnerability knowledge base construction
     
    • Design knowledge base schema and meta-model
       
    • Large-scale apps collection and labelling (semi-automatic)
       
    • Evaluation of the existing vulnerability detection techniques
       
  • Compositional vulnerability detection guided by the knowledge base
     
    • Implement domain-specific analysis (source/library/native)
       
    • Aggregation of global analysis results

​CompositionalAnalysis

Practical Applications and Impact

  • Integrated as a part of an app screening pipeline
     
  • Detecting data leakage vulnerabilities in the real banking apps

 

SUBSCRIBE TO OUR NEWSLETTER

Keep up to date with what's happening at the Singapore Management University

Newsletter checkboxes