Skip to main content
SpringerLink
Log in

Where Are We Looking for Security Concerns? Understanding Android Security Static Analysis

  • Conference paper
  • First Online:
Proceedings of the Future Technologies Conference (FTC) 2019 (FTC 2019)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 1070))

Included in the following conference series:

  • 1548 Accesses

Abstract

Static analysis is a traditional technique for software transformation and type analysis. Recently, static analysis has become a technique to identify cyber security vulnerabilities and malware. Specifically, static analysis has been extended into the mobile-computing arena for security-related analyses. This research examines many top security papers that are published in major conferences, journals and technical reports, and characterizes the current research characterize static analysis research. The papers identified in this paper were selected based their high citings by top research or because they introduced either a novel analysis technique or a novel security issue analysis. This research systematically constructs a static analysis landscape by charting and characterizing analysis strengths and limitations in both accuracy and security threats. The findings are reported online at www.technologyinthepark.com. This research has identified two types of static analysis motivations which affect the soundness of an analysis methodology: techniques for analyzing software for vulnerabilities and techniques used to examine applications for malware. Building on earlier research, for completeness and to aid the community by providing a coverage map, this research has connected technique motivations found to Mitre’s attack taxonomy, Mitre’s vulnerability taxonomy as well as the National Institute of Standards and Technology’s (NIST’s) Bugs Framework (BF) taxonomy. The findings include identifying vulnerabilities which are not being systematically researched.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 299.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 379.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Aho, A.V., Lam, M.S., Sethi, R., Ullman, J.D.: Compilers: Principles, Techniques, and Tools with Gradiance, 2nd edn. Addison-Wesley Publishing Company, USA (2007)

    Google Scholar 

  2. Androulaki, E., Bellovin, S.M.: A secure and privacy-preserving targeted ad-system. In: Proceedings of the 14th International Conference on Financial Cryptograpy and Data Security, FC 2010, pp. 123–135. Springer-Verlag, Heidelberg (2010)

    Google Scholar 

  3. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: SIGPLAN Notices, vol. 49, issue 6 (2014)

    Google Scholar 

  4. Bellovin, S.M.: The puzzle of privacy. IEEE Secur. Priv. 6(5), 88–88 (2008)

    Article  Google Scholar 

  5. Bellovin, S.M.: Identity and security. IEEE Secur. Priv. 8(2), 88–88 (2010)

    Article  Google Scholar 

  6. Bellovin, S.M.: Thinking Security: Stopping Next Year’s Hackers. Addison-Wesley, Boston (2016)

    Google Scholar 

  7. Bessey, A., Block, K., Chelf, B., Chou, A., Fulton, B., Hallem, S., Henri-Gros, C., Kamsky, A., McPeak, S., Engler, D.: A few billion lines of code later: using static analysis to find bugs in the real world. Commun. ACM 53(2), 66–75 (2010)

    Article  Google Scholar 

  8. Bishop, M.: Introduction to Computer Security. Addison-Wesley Professional, Bishop (2004)

    Google Scholar 

  9. Bojanova, I., Black, P.E., Yesha, Y.: Cryptography classes in bugs framework (Bf): encryption bugs (ENC), verification bugs (VRF), and key management bugs (KMN). In: 2017 IEEE 28th Annual Software Technology Conference (STC), pp. 1–8, September 2017

    Google Scholar 

  10. Bojanova, I., Black, P.E., Yesha, Y., Wu, Y.: The bugs framework (BF): a structured approach to express bugs. In: 2016 IEEE International Conference on Software Quality, Reliability and Security (QRS), pp. 175–182, August 2016

    Google Scholar 

  11. Darpai. Darpa’s automated program analysis for cybersecurity (APAC). http://www.darpa.mil/program/automated-program-analysis-for-cybersecurity. Accessed 7 September 2015

  12. Daswani, N., Kern, C., Kesavan, A.: Foundations of Security: What Every Programmer Needs to Know. Apress, Berkely (2007)

    Google Scholar 

  13. Dubey, A., Misra, A.: Android Security: Attacks and Defenses. Auerbach Publications, Boca Raton (2013)

    Google Scholar 

  14. Elenkov, N.: Android Security Internals: An In-Depth Guide to Android’s Security Architecture. No Starch Press, San Francisco (2015)

    Google Scholar 

  15. Erturk, E.: A case study in open source software security and privacy: Android adware. In: 2012 World Congress on Internet Security (WorldCIS), June 2012

    Google Scholar 

  16. Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2011, pp 3–14, New York, NY, USA. ACM (2011)

    Google Scholar 

  17. Google. Android security tips. https://developer.android.com/training/articles/security-tips.html. Accessed 3 July 2016

  18. L. Hewlett-Packard Development Company. HP fortify. http://www8.hp.com/us/en/software-solutions/application-security/index.html. Accessed 21 September 2015

  19. Jiang, X., Zhou, Y.: Android Malware. Springer Publishing Company, Incorporated (2013)

    Google Scholar 

  20. MITRE. Capec view: Mechanisms of attack. https://capec.mitre.org/data/definitions/1000.html. Accessed 10 October 2015

  21. Mitre. Common attack pattern enumeration and classification (capec\(^{TM}\)). http://capec.mitre.org/. Accessed 7 September 2015

  22. Mitre. Common weakness enumeration (CWE). https://cwe.mitre.org/. Accessed 7 September 2015

  23. NIST. National vulnerability database. https://nvd.nist.gov. Accessed 3 June 2016

  24. Reisinger, D: Android shipments in 2014 exceed 1 billion for first time. CNET, January 2015

    Google Scholar 

  25. I. Rogue Wave Software. Klocworkr. http://www.klocwork.com/. Accessed 21 September 2015

  26. Schmeelk, S.: Where are we looking? Understanding android static analysis techniques. In: 2019 IEEE International Conference on Services Computing, July 2019

    Google Scholar 

  27. Schmeelk, S., Yang, J., Aho, A.: Android malware static analysis techniques. In: Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISR 2015, pp. 5:1–5:8, New York, NY, USA. ACM (2015)

    Google Scholar 

  28. Sufatrio, D., Tan, J.J., Chua, T.-W., Thing, V.L.L.: Securing android: a survey, taxonomy, and challenges. ACM Comput. Surv. 47(4), 581–5845 (2015)

    Article  Google Scholar 

  29. Verizon. Verizon mobile security index 2019 report. https://enterprise.verizon.com/resources/reports/msi-2019-report.pdf. Accessed 24 June 019

  30. Verizon. Verizon mobile security index 2019 report - executive summary. https://enterprise.verizon.com/content/dam/resources/reports/msi-2019-exec-summary.pdf. Accessed 24 June 2019

  31. Whitman, M.E., Mattord, H.J.: Roadmap to Information Security: For IT and Infosec Managers, 1st edn. Delmar Learning, Clifton Park (2011)

    Google Scholar 

  32. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 95–109, Washington, DC, USA. IEEE Computer Society (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. St. John’s University, Queens, NY, USA

    Suzanna Schmeelk

Authors
  1. Suzanna Schmeelk
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Suzanna Schmeelk .

Editor information

Editors and Affiliations

  1. Faculty of Science and Engineering, Saga University, Saga, Japan

    Kohei Arai

  2. The Science and Information (SAI) Organization, Bradford, West Yorkshire, UK

    Rahul Bhatia

  3. The Science and Information (SAI) Organization, Bradford, West Yorkshire, UK

    Supriya Kapoor

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Schmeelk, S. (2020). Where Are We Looking for Security Concerns? Understanding Android Security Static Analysis. In: Arai, K., Bhatia, R., Kapoor, S. (eds) Proceedings of the Future Technologies Conference (FTC) 2019. FTC 2019. Advances in Intelligent Systems and Computing, vol 1070. Springer, Cham. https://doi.org/10.1007/978-3-030-32523-7_32

Download citation

Publish with us

Policies and ethics

Search

Navigation