Blogs (1) >>
ASE 2019
Sun 10 - Fri 15 November 2019 San Diego, California, United States
Tue 12 Nov 2019 17:00 - 17:20 at Hillcrest - Security Chair(s): Julia Rubin

Increasing interest in securing the Android ecosystem has spawned numerous efforts to assist app developers in building secure apps. These efforts have resulted in tools and techniques capable of detecting vulnerabilities and malicious behaviors in apps. However, there has been no evaluation of the effectiveness of these tools and techniques in detecting known vulnerabilities. The absence of such evaluations puts app developers at a disadvantage when choosing security analysis tools to secure their apps.

In this regard, we evaluated the effectiveness of vulnerability detection tools for Android apps. We reviewed 64 tools and empirically evaluated 14 vulnerability detection tools against 42 known unique vulnerabilities captured by Ghera benchmarks, which are composed of both vulnerable and secure apps. Of the 20 observations from the evaluation, the main observation is existing vulnerability detection tools for Android apps are very limited in their ability to detect known vulnerabilities — all of the evaluated tools together could only detect 30 of the 42 known unique vulnerabilities.

More effort is required if security analysis tools are to help developers build secure apps. We hope the observations from this evaluation will help app developers choose appropriate security analysis tools and persuade tool developers and researchers to identify and address limitations in their tools and techniques. We also hope this evaluation will catalyze or spark a conversation in the software engineering and security communities to require a more rigorous and explicit evaluation of security analysis tools and techniques.

Tue 12 Nov

16:00 - 17:40: Papers - Security at Hillcrest
Chair(s): Julia RubinUniversity of British Columbia
ase-2019-papers16:00 - 16:20
Performance-Boosting Sparsification of the IFDS Algorithm with Applications to Taint AnalysisACM SIGSOFT Distinguished Paper Award
Dongjie HeUniversity of New South Wales; Institute of Computing Technology, CAS; University of Chinese Academy of Sciences, Haofeng LiInstitute of Computing Technology, CAS; University of Chinese Academy of Sciences, Lei WangInstitute of Computing Technology, Chinese Academy of Science, Haining MengInstitute of Computing Technology, CAS; University of Chinese Academy of Sciences, Hengjie ZhengInstitute of Computing Technology, CAS; University of Chinese Academy of Sciences, Jie LiuUniversity of New South Wales, Shuangwei Huvivo AI Lab, Lian LiInstitute of Computing Technology at Chinese Academy of Sciences, China, Jingling XueUNSW Sydney
ase-2019-papers16:20 - 16:40
Characterizing Android App Signing Issues
Haoyu WangBeijing University of Posts and Telecommunications, China, Hongxuan LiuPeking University, Xusheng XiaoCase Western Reserve University, Guozhu MengInstitute of Information Engineering, Chinese Academy of Sciences, Yao GuoPeking University
ase-2019-papers16:40 - 17:00
OAuthLint: An Empirical Study on OAuth Bugs in Android Applications
Tamjid Al RahatUniversity of Virginia, Yu FengUniversity of California, Santa Barbara, Yuan TianUniversity of Virginia
ase-2019-Journal-First-Presentations17:00 - 17:20
Are Free Android App Security Analysis Tools Effective in Detecting Known Vulnerabilities?
Venkatesh-Prasad RanganathKansas State University, Joydeep MitraKansas State University
Link to publication DOI Pre-print Media Attached
ase-2019-Demonstrations17:20 - 17:30
SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods
Goran PiskachevFraunhofer IEM, Lisa Nguyen Quang DoGoogle, Oshando JohnsonFraunhofer IEM, Eric BoddenHeinz Nixdorf Institut, Paderborn University and Fraunhofer IEM
Pre-print Media Attached File Attached
ase-2019-Demonstrations17:30 - 17:40
Sip4J: Statically Inferring Access Permission Contracts for Parallelising Sequential Java Programs
Ayesha SadiqMonash University, Li LiMonash University, Australia, Yuan-Fang LiMonash University, Ijaz AhmedUniversity of Lahore, Sea LingMonash University