Content Provider Leakage Vulnerability Detection in Android Applications

Shahriar, Hossain; Haddad, Hisham M.

doi:10.1145/2659651.2659716

Cited by 9 publications

(5 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, work by Carvalho et al [11] on the presentation layer identifies code smells involving components such as Activities, Fragments, and Listeners, which developers also mention in SATD comments. Furthermore, Content Providers, which are associated with leakage vulnerabilities [4], are also present in our findings. This opens up an interesting avenue of research for the community to examine the extent to which such debt items can lead to app vulnerabilities.…”

Section: Discussionsupporting

confidence: 57%

“…However, like non-mobile systems, mobile apps are also software systems, and are subject to poor code quality when app developers deviate from established best practices and guidelines [3]. For instance, poor code quality of a mobile app can lead to various issues for end-users, such as security vulnerabilities [4], poor user experience [5] (including accessibility concerns [6]), and performance degradation [7]. Further, app developers face maintainability challenges due to their app's poor code quality [8].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An Exploratory Study on the Occurrence of Self-Admitted Technical Debt in Android Apps

Wilder¹,

Riley²,

Watson³

et al. 2023

Preprint

View full text Add to dashboard Cite

Technical debt describes situations where developers write less-than-optimal code to meet project milestones. However, this debt accumulation often results in future developer effort to live with or fix these quality issues. To better manage this debt, developers may document their sub-optimal code as comments in the code (i.e., self-admitted technical debt or SATD). While prior research has investigated the occurrence and characteristics of SATD, this research has primarily focused on non-mobile systems. With millions of mobile applications (apps) in multiple genres available for end-users, there is a lack of research on sub-optimal code developers intentionally implement in mobile apps.In this study, we examine the occurrence and characteristics of SATD in 15,614 open-source Android apps. Our findings show that even though such apps contain occurrences of SATD, the volume per app (a median of 4) is lower than in non-mobile systems, with most debt categorized as Code Debt. Additionally, we identify typical elements in an app that are prone to intentional sub-optimal implementations. We envision our findings supporting researchers and tool vendors with building tools and techniques to support app developers with app maintenance.

show abstract

Section: Discussionsupporting

confidence: 57%

Section: Introductionmentioning

confidence: 99%

An Exploratory Study on the Occurrence of Self-Admitted Technical Debt in Android Apps

Wilder¹,

Riley²,

Watson³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…TaintDroid [34] is a dynamic taint analysis tool for capturing information leakages in android apps, which its dynamic approach is not concolic or symbolic. Shahriar et al [35] presenting KLD-based detection of content leakage vulnerabilities based on three secure programming principles. Their approach focused on ContentProvider leakage, which ConsiDroid can detect them with the symbolic mock class idea.…”

Section: Related Workmentioning

confidence: 99%

ConsiDroid: A Concolic-based Tool for Detecting SQL Injection Vulnerability in Android Apps

Ehsan¹,

Sadeghiyan²,

Ghassemi³

2018

Preprint

View full text Add to dashboard Cite

In this paper, we present a concolic execution technique for detecting SQL injection vulnerabilities in Android apps, with a new tool we called ConsiDroid. We extend the source code of apps with mocking technique, such that the execution of original source code is not affected. The extended source code can be treated as Java applications and may be executed by SPF with concolic execution. We automatically produce a DummyMain class out of static analysis such that the essential functions are called sequentially and, the events leading to vulnerable functions are triggered. We extend SPF with taint analysis in ConsiDroid. For making taint analysis possible, we introduce a new technique of symbolic mock classes in order to ease the propagation of tainted values in the code. An SQL injection vulnerability is detected through receiving a tainted value by a vulnerable function. Besides, ConsiDroid takes advantage of static analysis to adjust SPF in order to inspect only suspicious paths. To illustrate the applicability of ConsiDroid, we have inspected randomly selected 140 apps from F-Droid repository. From these apps, we found three apps vulnerable to SQL injection. To verify their vulnerability, we analyzed the apps manually based on ConsiDroidâ Ȃ Źs reports by using Robolectric.

show abstract

“…To understand the universality of port-opening Android apps, we made a statistical analysis to the apps downloaded from Google Play 4 and Wandoujia (a famous Android app store in China 5 ). The download time of the apps is from July 2016 to October 2016.…”

Section: Universality Of Port-opening Android Appsmentioning

confidence: 99%

“…A vulnerable and exported component can be visited by the other apps in the same device, which can lead to many types of vulnerabilities, e.g., capability leak [1,2], content provider leakage [3,4], privilege escalation [5,6], confused deputy [7], component hijacking [8,9], intent spoofing [10], etc. But these vulnerabilities can only be exploited locally (the vulnerable app and the malicious app must run in a same device).…”

Section: Related Workmentioning

confidence: 99%

When Android Apps Open Ports to Handle Network Requests: Functionality or Security Vulnerability?

Yue¹,

Zhang²

2017

IJSIA

View full text Add to dashboard Cite

show abstract

Content Provider Leakage Vulnerability Detection in Android Applications

Cited by 9 publications

References 20 publications

An Exploratory Study on the Occurrence of Self-Admitted Technical Debt in Android Apps

An Exploratory Study on the Occurrence of Self-Admitted Technical Debt in Android Apps

ConsiDroid: A Concolic-based Tool for Detecting SQL Injection Vulnerability in Android Apps

When Android Apps Open Ports to Handle Network Requests: Functionality or Security Vulnerability?

Contact Info

Product

Resources

About