We gratefully acknowledge support from
the Simons Foundation and member institutions.
Full-text links:

Download:

Current browse context:

cs.SE

Change to browse by:

cs

References & Citations

DBLP - CS Bibliography

Bookmark

(what is this?)
CiteULike logo BibSonomy logo Mendeley logo del.icio.us logo Digg logo Reddit logo ScienceWISE logo

Computer Science > Software Engineering

Title: SO{U}RCERER: Developer-Driven Security Testing Framework for Android Apps

Abstract: Frequently advised secure development recommendations often fall short in practice for app developers. Tool-driven (e.g., using static analysis tools) approaches lack context and domain-specific requirements of an app being tested. App developers struggle to find an actionable and prioritized list of vulnerabilities from a laundry list of security warnings reported by static analysis tools. Process-driven (e.g., applying threat modeling methods) approaches require substantial resources (e.g., security testing team, budget) and security expertise, which small to medium-scale app dev teams could barely afford. To help app developers securing their apps, we propose SO{U}RCERER, a guiding framework for Android app developers for security testing. SO{U}RCERER guides developers to identify domain-specific assets of an app, detect and prioritize vulnerabilities, and mitigate those vulnerabilities based on secure development guidelines. We evaluated SO{U}RCERER with a case study on analyzing and testing 36 Android mobile money apps. We found that by following activities guided by SO{U}RCERER, an app developer could get a concise and actionable list of vulnerabilities (24-61% fewer security warnings produced by SO{U}RCERER than a standalone static analyzer), directly affecting a mobile money app's critical assets, and devise a mitigation plan. Our findings from this preliminary study indicate a viable approach to Android app security testing without being overwhelmingly complex for app developers.
Comments: Accepted at the 2021 Automated Software Engineering Conference's Workshop on Advances in Mobile App Analysis (A-Mobile'21)
Subjects: Software Engineering (cs.SE)
ACM classes: D.2.1; D.2.5; K.4.3; K.7.0; K.6.3
Cite as: arXiv:2111.01631 [cs.SE]
  (or arXiv:2111.01631v2 [cs.SE] for this version)

Submission history

From: Muhammad Sajidur Rahman [view email]
[v1] Tue, 2 Nov 2021 14:43:58 GMT (66kb,D)
[v2] Wed, 3 Nov 2021 02:47:05 GMT (66kb,D)

Link back to: arXiv, form interface, contact.