Vulnerability Detection on Android Apps&#x2013;Inspired by Case Study on Vulnerability Related With Web Functions

Jiawei Qin; Hua Zhang; Jing Guo; Senmiao Wang; Qiaoyan Wen; Yijie Shi

doi:10.1109/ACCESS.2020.2998043

IEEE Access (Jan 2020)

Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability Related With Web Functions

Jiawei Qin,
Hua Zhang,
Jing Guo,
Senmiao Wang,
Qiaoyan Wen,
Yijie Shi

Affiliations

Jiawei Qin: State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, China
Hua Zhang: ORCiD; State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, China
Jing Guo: National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing, China
Senmiao Wang: State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, China
Qiaoyan Wen: ORCiD; State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, China
Yijie Shi: State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, China

DOI: https://doi.org/10.1109/ACCESS.2020.2998043
Journal volume & issue: Vol. 8
pp. 106437 – 106451

Abstract

Read online

Nowadays, people's lifestyle is more and more dependent on mobile applications (Apps), such as shopping, financial management and surfing the internet. However, developers mainly focus on the implementation of Apps and the improvement of user experience while ignoring security issues. In this paper, we perform the comprehensive study on vulnerabilities caused by misuse of APIs and form a methodology for this type of vulnerability analysis. We investigate the security of three types of Android Apps including finance, shopping and browser which are closely related to human life. And we analyze four vulnerabilities including Improper certificate validation(CWE-295:ICV), WebView bypass certificate validation vulnerability(CVE-2014-5531:WBCVV), WebView remote code execution vulnerability(CVE-2014-1939:WRCEV) and Alibaba Cloud OSS credential disclosure vulnerability(CNVD-2017-09774:ACOCDV). In order to verify the effectiveness of our analysis method in large-scale Apps on the Internet, we propose a novel scalable tool - VulArcher, which is based on heuristic method and used to discover if the above vulnerabilities exist in Apps. We download a total of 6114 of the above three types of samples in App stores, and we use VulArcher to perform the above vulnerability detection for each App. We perform manual verification by randomly selecting 100 samples of each vulnerability. We find that the accuracy rate for ACOCDV can reach 100%, the accuracy rate for WBCVV can reach 95%, and the accuracy rate for the other two vulnerabilities can reach 87%. And one of vulnerabilities detected by VulArcher has been included in China National Vulnerability Database (CNVD) ID(CNVD-2017-23282). Experiments show that our tool is feasible and effective. For the convenience of researchers in related communities, We make our data and tool available at https://buptnsrclab.github.io/blog/2020/01/03/vularcher-site-launched.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords