Abstract
Static analysis is a traditional technique for software transformation and type analysis. Recently, static analysis has become a technique to identify cyber security vulnerabilities and malware. Specifically, static analysis has been extended into the mobile-computing arena for security-related analyses. This research examines many top security papers that are published in major conferences, journals and technical reports, and characterizes the current research characterize static analysis research. The papers identified in this paper were selected based their high citings by top research or because they introduced either a novel analysis technique or a novel security issue analysis. This research systematically constructs a static analysis landscape by charting and characterizing analysis strengths and limitations in both accuracy and security threats. The findings are reported online at www.technologyinthepark.com. This research has identified two types of static analysis motivations which affect the soundness of an analysis methodology: techniques for analyzing software for vulnerabilities and techniques used to examine applications for malware. Building on earlier research, for completeness and to aid the community by providing a coverage map, this research has connected technique motivations found to Mitre’s attack taxonomy, Mitre’s vulnerability taxonomy as well as the National Institute of Standards and Technology’s (NIST’s) Bugs Framework (BF) taxonomy. The findings include identifying vulnerabilities which are not being systematically researched.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aho, A.V., Lam, M.S., Sethi, R., Ullman, J.D.: Compilers: Principles, Techniques, and Tools with Gradiance, 2nd edn. Addison-Wesley Publishing Company, USA (2007)
Androulaki, E., Bellovin, S.M.: A secure and privacy-preserving targeted ad-system. In: Proceedings of the 14th International Conference on Financial Cryptograpy and Data Security, FC 2010, pp. 123–135. Springer-Verlag, Heidelberg (2010)
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: SIGPLAN Notices, vol. 49, issue 6 (2014)
Bellovin, S.M.: The puzzle of privacy. IEEE Secur. Priv. 6(5), 88–88 (2008)
Bellovin, S.M.: Identity and security. IEEE Secur. Priv. 8(2), 88–88 (2010)
Bellovin, S.M.: Thinking Security: Stopping Next Year’s Hackers. Addison-Wesley, Boston (2016)
Bessey, A., Block, K., Chelf, B., Chou, A., Fulton, B., Hallem, S., Henri-Gros, C., Kamsky, A., McPeak, S., Engler, D.: A few billion lines of code later: using static analysis to find bugs in the real world. Commun. ACM 53(2), 66–75 (2010)
Bishop, M.: Introduction to Computer Security. Addison-Wesley Professional, Bishop (2004)
Bojanova, I., Black, P.E., Yesha, Y.: Cryptography classes in bugs framework (Bf): encryption bugs (ENC), verification bugs (VRF), and key management bugs (KMN). In: 2017 IEEE 28th Annual Software Technology Conference (STC), pp. 1–8, September 2017
Bojanova, I., Black, P.E., Yesha, Y., Wu, Y.: The bugs framework (BF): a structured approach to express bugs. In: 2016 IEEE International Conference on Software Quality, Reliability and Security (QRS), pp. 175–182, August 2016
Darpai. Darpa’s automated program analysis for cybersecurity (APAC). http://www.darpa.mil/program/automated-program-analysis-for-cybersecurity. Accessed 7 September 2015
Daswani, N., Kern, C., Kesavan, A.: Foundations of Security: What Every Programmer Needs to Know. Apress, Berkely (2007)
Dubey, A., Misra, A.: Android Security: Attacks and Defenses. Auerbach Publications, Boca Raton (2013)
Elenkov, N.: Android Security Internals: An In-Depth Guide to Android’s Security Architecture. No Starch Press, San Francisco (2015)
Erturk, E.: A case study in open source software security and privacy: Android adware. In: 2012 World Congress on Internet Security (WorldCIS), June 2012
Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2011, pp 3–14, New York, NY, USA. ACM (2011)
Google. Android security tips. https://developer.android.com/training/articles/security-tips.html. Accessed 3 July 2016
L. Hewlett-Packard Development Company. HP fortify. http://www8.hp.com/us/en/software-solutions/application-security/index.html. Accessed 21 September 2015
Jiang, X., Zhou, Y.: Android Malware. Springer Publishing Company, Incorporated (2013)
MITRE. Capec view: Mechanisms of attack. https://capec.mitre.org/data/definitions/1000.html. Accessed 10 October 2015
Mitre. Common attack pattern enumeration and classification (capec\(^{TM}\)). http://capec.mitre.org/. Accessed 7 September 2015
Mitre. Common weakness enumeration (CWE). https://cwe.mitre.org/. Accessed 7 September 2015
NIST. National vulnerability database. https://nvd.nist.gov. Accessed 3 June 2016
Reisinger, D: Android shipments in 2014 exceed 1 billion for first time. CNET, January 2015
I. Rogue Wave Software. Klocworkr. http://www.klocwork.com/. Accessed 21 September 2015
Schmeelk, S.: Where are we looking? Understanding android static analysis techniques. In: 2019 IEEE International Conference on Services Computing, July 2019
Schmeelk, S., Yang, J., Aho, A.: Android malware static analysis techniques. In: Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISR 2015, pp. 5:1–5:8, New York, NY, USA. ACM (2015)
Sufatrio, D., Tan, J.J., Chua, T.-W., Thing, V.L.L.: Securing android: a survey, taxonomy, and challenges. ACM Comput. Surv. 47(4), 581–5845 (2015)
Verizon. Verizon mobile security index 2019 report. https://enterprise.verizon.com/resources/reports/msi-2019-report.pdf. Accessed 24 June 019
Verizon. Verizon mobile security index 2019 report - executive summary. https://enterprise.verizon.com/content/dam/resources/reports/msi-2019-exec-summary.pdf. Accessed 24 June 2019
Whitman, M.E., Mattord, H.J.: Roadmap to Information Security: For IT and Infosec Managers, 1st edn. Delmar Learning, Clifton Park (2011)
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 95–109, Washington, DC, USA. IEEE Computer Society (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Schmeelk, S. (2020). Where Are We Looking for Security Concerns? Understanding Android Security Static Analysis. In: Arai, K., Bhatia, R., Kapoor, S. (eds) Proceedings of the Future Technologies Conference (FTC) 2019. FTC 2019. Advances in Intelligent Systems and Computing, vol 1070. Springer, Cham. https://doi.org/10.1007/978-3-030-32523-7_32
Download citation
DOI: https://doi.org/10.1007/978-3-030-32523-7_32
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-32522-0
Online ISBN: 978-3-030-32523-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)