Dashanga agada a formulation of Agada tantra dealt in 3 Rd year bams agada tanta
A Preliminary Conceptualization and Analysis on Automated Static Analysis Tools for Vulnerability Detection in Android Apps
1. A Preliminary Conceptualization and Analysis on Automated
Static Analysis Tools for Vulnerability Detection in Android Apps
Giammaria Giordano, Fabio Palomba, Filomena Ferrucci
University of Salerno (Italy)
Software Engineering (SeSa) Lab
Department of Computer Science
giagiordano@unisa.it
GiammariaGiord1
https://broke31.github.io/giammaria-giordano/
2. 2020 2021 2022 2023 2024 2025
18,22
17,72
16,8
15,96
14,91
14,2
Didascalia
https://www.statista.com/statistics/245501/multiple-mobile-device-ownership-worldwide/
Number of Mobile Devices Worldwide from 2020 to 2025 (in billions)
3. 2020 2021 2022 2023 2024 2025
18,22
17,72
16,8
15,96
14,91
14,2
Didascalia
https://www.statista.com/statistics/245501/multiple-mobile-device-ownership-worldwide/
Number of Mobile Devices Worldwide from 2020 to 2025 (in billions)
80% of mobile devices are Android devices
4. Number of Mobile Devices Worldwide from 2020 to 2025 (in billions)
https://www.statista.com/statistics/245501/multiple-mobile-device-ownership-worldwide/
2020 2021 2022 2023 2024 2025
18,22
17,72
16,8
15,96
14,91
14,2
80% of mobile devices are Android devices
Current World Population 8 billions
5.
6. Although the vastness of proposed tools, we noticed
a lack of empirical evaluation on the real capability
of these static analysis tools to detect vulnerabilities
7. RQ2 - What are the capabilities of existing automated
static analysis tools in terms of mobile app analyzability,
frequency of detection, and complementarity among
them?
RQ1 - What are the vulnerability types identi
fi
ed by
existing automated static analysis tools for mobile apps?
Research Questions
8. How did we address the RQs?
For the
fi
rst RQ, we manually extracted a taxonomy of risks
9. How did we address the RQs?
For the
fi
rst RQ, we manually extracted a taxonomy of risks
For the second RQ, we analyzed the tools from a
qualitative point of view by analyzing the frequencies
of risk detection and the complementarity among
them
15. RQ2 - What are the capabilities of existing automated
static analysis tools in terms of mobile app analyzability,
frequency of detection, and complementarity among
them?
Research Questions
RQ1 - What are the vulnerability types identi
fi
ed by
existing automated static analysis tools for mobile apps?
16. Security-Related
Concerns
AUTHENT
ICATION
ACCESS
Insecure
Manifest
External
Resources
Improper
Access Control
Code
Tampering
Code
Obfuscation
Insecure Data Insu
ffi
cient
Cryptography
Other Privacy Permission
Privacy Concern
Clear Text
Storage of
sensitive
information
Expose sensitive
information to
Unauthorized
actors un
Sensitive
Information
Base64 String
Encryption
Cryptography
Constants
Detection
Cipher Might Be
Operating In ECB
Mode
Detected
O
ff
uscator
Lack of
Obfuscation
Hardcode
Certi
fi
cates
Remove
Android
Device Lock
by Rouge app
KeyStore
Insecure Mixed
Content mode
Detected Possible
IPV4 Address
SSL Security
Server-Side
Request Forgery
Insecure TLS
Lack of pinning
Use of clear text
HTTP
Insecure
Communication
Manipulable
Activity
Manifest
ContentProvider
Exported
Debuggable
Manipulable
Backups
WebView
Detected Format
String
Detected Library
Detected possible
FQDN
Detected path
component
Detected URL
Detected Logging
External storage
Accessing
Database
Manifest Dangerous
Protection Level of
Permission
Manifest Critical
Permission
Unnecessary
Permission
App Sandbox
Permission
Insecure File
Permission
Open Permission
Strandhogg
Bypass permission
Command
17. Security-Related
Concerns
AUTHENT
ICATION
ACCESS
Insecure
Manifest
External
Resources
Improper
Access Control
Code
Tampering
Code
Obfuscation
Insecure Data Insu
ffi
cient
Cryptography
Other Privacy Permission
Privacy Concern
Clear Text
Storage of
sensitive
information
Expose sensitive
information to
Unauthorized
actors un
Sensitive
Information
Base64 String
Encryption
Cryptography
Constants
Detection
Cipher Might Be
Operating In ECB
Mode
Detected
O
ff
uscator
Lack of
Obfuscation
Hardcode
Certi
fi
cates
Remove
Android
Device Lock
by Rouge app
KeyStore
Insecure Mixed
Content mode
Detected Possible
IPV4 Address
SSL Security
Server-Side
Request Forgery
Insecure TLS
Lack of pinning
Use of clear text
HTTP
Insecure
Communication
Manipulable
Activity
Manifest
ContentProvider
Exported
Debuggable
Manipulable
Backups
WebView
Detected Format
String
Detected Library
Detected possible
FQDN
Detected path
component
Detected URL
Detected Logging
External storage
Accessing
Database
Manifest Dangerous
Protection Level of
Permission
Manifest Critical
Permission
Unnecessary
Permission
App Sandbox
Permission
Insecure File
Permission
Open Permission
Strandhogg
Bypass permission
Command
AUTHENTICATION
ACCESS
Insecure Mixed
Content mode
Detected Possible
IPV4 Address
SSL Security
Server-Side Request
Forgery
Insecure TLS
Lack of pinning
Use of clear text HTTP
Insecure
Communication
18. Security-Related
Concerns
AUTHENT
ICATION
ACCESS
Insecure
Manifest
External
Resources
Improper
Access Control
Code
Tampering
Code
Obfuscation
Insecure Data Insu
ffi
cient
Cryptography
Other Privacy Permission
Privacy Concern
Clear Text
Storage of
sensitive
information
Expose sensitive
information to
Unauthorized
actors un
Sensitive
Information
Base64 String
Encryption
Cryptography
Constants
Detection
Cipher Might Be
Operating In ECB
Mode
Detected
O
ff
uscator
Lack of
Obfuscation
Hardcode
Certi
fi
cates
Remove
Android
Device Lock
by Rouge app
KeyStore
Insecure Mixed
Content mode
Detected Possible
IPV4 Address
SSL Security
Server-Side
Request Forgery
Insecure TLS
Lack of pinning
Use of clear text
HTTP
Insecure
Communication
Manipulable
Activity
Manifest
ContentProvider
Exported
Debuggable
Manipulable
Backups
WebView
Detected Format
String
Detected Library
Detected possible
FQDN
Detected path
component
Detected URL
Detected Logging
External storage
Accessing
Database
Manifest Dangerous
Protection Level of
Permission
Manifest Critical
Permission
Unnecessary
Permission
App Sandbox
Permission
Insecure File
Permission
Open Permission
Strandhogg
Bypass permission
Command
Insecure Manifest
Manipulable Activity
Manifest
ContentProvider
Exported
Debuggable
Manipulable Backups
19. Security-Related
Concerns
AUTHENT
ICATION
ACCESS
Insecure
Manifest
External
Resources
Improper
Access Control
Code
Tampering
Code
Obfuscation
Insecure Data Insu
ffi
cient
Cryptography
Other Privacy Permission
Privacy Concern
Clear Text
Storage of
sensitive
information
Expose sensitive
information to
Unauthorized
actors un
Sensitive
Information
Base64 String
Encryption
Cryptography
Constants
Detection
Cipher Might Be
Operating In ECB
Mode
Detected
O
ff
uscator
Lack of
Obfuscation
Hardcode
Certi
fi
cates
Remove
Android
Device Lock
by Rouge app
KeyStore
Insecure Mixed
Content mode
Detected Possible
IPV4 Address
SSL Security
Server-Side
Request Forgery
Insecure TLS
Lack of pinning
Use of clear text
HTTP
Insecure
Communication
Manipulable
Activity
Manifest
ContentProvider
Exported
Debuggable
Manipulable
Backups
WebView
Detected Format
String
Detected Library
Detected possible
FQDN
Detected path
component
Detected URL
Detected Logging
External storage
Accessing
Database
Manifest Dangerous
Protection Level of
Permission
Manifest Critical
Permission
Unnecessary
Permission
App Sandbox
Permission
Insecure File
Permission
Open Permission
Strandhogg
Bypass permission
Command
External Resources
WebView
Detected Format String
Detected Library
Detected possible
FQDN
Detected path
component
Detected URL
20. Security-Related
Concerns
AUTHENT
ICATION
ACCESS
Insecure
Manifest
External
Resources
Improper
Access Control
Code
Tampering
Code
Obfuscation
Insecure Data Insu
ffi
cient
Cryptography
Other Privacy Permission
Privacy Concern
Clear Text
Storage of
sensitive
information
Expose sensitive
information to
Unauthorized
actors un
Sensitive
Information
Base64 String
Encryption
Cryptography
Constants
Detection
Cipher Might Be
Operating In ECB
Mode
Detected
O
ff
uscator
Lack of
Obfuscation
Hardcode
Certi
fi
cates
Remove
Android
Device Lock
by Rouge app
KeyStore
Insecure Mixed
Content mode
Detected Possible
IPV4 Address
SSL Security
Server-Side
Request Forgery
Insecure TLS
Lack of pinning
Use of clear text
HTTP
Insecure
Communication
Manipulable
Activity
Manifest
ContentProvider
Exported
Debuggable
Manipulable
Backups
WebView
Detected Format
String
Detected Library
Detected possible
FQDN
Detected path
component
Detected URL
Detected Logging
External storage
Accessing
Database
Manifest Dangerous
Protection Level of
Permission
Manifest Critical
Permission
Unnecessary
Permission
App Sandbox
Permission
Insecure File
Permission
Open Permission
Strandhogg
Bypass permission
Command
Improper Access
Control
Remove Android Device
Lock by Rouge app
KeyStore
21. Security-Related
Concerns
AUTHENT
ICATION
ACCESS
Insecure
Manifest
External
Resources
Improper
Access Control
Code
Tampering
Code
Obfuscation
Insecure Data
Insu
ffi
cient Cryptography Other Privacy Permission
Privacy Concern
Clear Text
Storage of
sensitive
information
Expose sensitive
information to
Unauthorized
actors un
Sensitive
Information
Base64 String
Encryption
Cryptography
Constants
Detection
Cipher Might Be
Operating In ECB
Mode
Detected
O
ff
uscator
Lack of
Obfuscation
Hardcode
Certi
fi
cates
Remove
Android
Device Lock
by Rouge app
KeyStore
Insecure Mixed
Content mode
Detected Possible
IPV4 Address
SSL Security
Server-Side
Request Forgery
Insecure TLS
Lack of pinning
Use of clear text
HTTP
Insecure
Communication
Manipulable
Activity
Manifest
ContentProvider
Exported
Debuggable
Manipulable
Backups
WebView
Detected Format
String
Detected Library
Detected possible
FQDN
Detected path
component
Detected URL
Detected Logging
External storage
Accessing
Database
Manifest Dangerous
Protection Level of
Permission
Manifest Critical
Permission
Unnecessary
Permission
App Sandbox
Permission
Insecure File
Permission
Open Permission
Strandhogg
Bypass permission
Command
Results indicate that these tools can be used to
support developers with the identi
fi
cation of 11 high-
level vulnerability categories and 41 low-level ones
22. Security-Related
Concerns
AUTHENT
ICATION
ACCESS
Insecure
Manifest
External
Resources
Improper
Access Control
Code
Tampering
Code
Obfuscation
Insecure Data
Insu
ffi
cient Cryptography Other Privacy Permission
Privacy Concern
Clear Text
Storage of
sensitive
information
Expose sensitive
information to
Unauthorized
actors un
Sensitive
Information
Base64 String
Encryption
Cryptography
Constants
Detection
Cipher Might Be
Operating In ECB
Mode
Detected
O
ff
uscator
Lack of
Obfuscation
Hardcode
Certi
fi
cates
Remove
Android
Device Lock
by Rouge app
KeyStore
Insecure Mixed
Content mode
Detected Possible
IPV4 Address
SSL Security
Server-Side
Request Forgery
Insecure TLS
Lack of pinning
Use of clear text
HTTP
Insecure
Communication
Manipulable
Activity
Manifest
ContentProvider
Exported
Debuggable
Manipulable
Backups
WebView
Detected Format
String
Detected Library
Detected possible
FQDN
Detected path
component
Detected URL
Detected Logging
External storage
Accessing
Database
Manifest Dangerous
Protection Level of
Permission
Manifest Critical
Permission
Unnecessary
Permission
App Sandbox
Permission
Insecure File
Permission
Open Permission
Strandhogg
Bypass permission
Command
Results indicate that these tools can be used to
support developers with the identi
fi
cation of 11 high-
level vulnerability categories and 41 low-level ones
Most of the vulnerabilities found refer to
Insecure Communication, Insecure Manifest,
External Resources and Privacy
23. Category Tools
Improper Platform Usage
Androbugs
Trueeseeing
Insecure Data Storage
Androbugs
Trueeseeing
Insecure Communication
Androbugs
Insider
Trueeseeing
Insu
ffi
cient Authentication
Androbugs
Trueeseeing
Insu
ffi
cient Cryptography Trueseeing
Insecure Authorization
Client Code Quality
Code tampering Trueeseeing
Reverse Engineering
Extraneous Functionality
Key
fi
ndings of RQ1 - Vulnerabilities Identi
fi
ed by Tools
24. Category Tools
Improper Platform Usage
Androbugs
Trueeseeing
Insecure Data Storage
Androbugs
Trueeseeing
Insecure Communication
Androbugs
Insider
Trueeseeing
Insu
ffi
cient Authentication
Androbugs
Trueeseeing
Insu
ffi
cient Cryptography Trueseeing
Insecure Authorization
Client Code Quality
Code tampering Trueeseeing
Reverse Engineering
Extraneous Functionality
OWASP Mobile Top-10
2016
Key
fi
ndings of RQ1 - Vulnerabilities Identi
fi
ed by Tools
25. Key
fi
ndings of RQ1 - Vulnerabilities Identi
fi
ed by Tools
Category Tools
Improper Platform Usage
Androbugs
Trueeseeing
Insecure Data Storage
Androbugs
Trueeseeing
Insecure Communication
Androbugs
Insider
Trueeseeing
Insu
ffi
cient Authentication
Androbugs
Trueeseeing
Insu
ffi
cient Cryptography Trueseeing
Insecure Authorization
Client Code Quality
Code tampering Trueeseeing
Reverse Engineering
Extraneous Functionality
OWASP Mobile Top-10
2016
We found that these tools only partially cover the
top-10 risks by OWASP
26. RQ1 - What are the vulnerability types identi
fi
ed by
existing automated static analysis tools for mobile apps?
Research Questions
RQ2 - What are the capabilities of existing automated
static analysis tools in terms of mobile app analyzability,
frequency of detection, and complementarity among
them?
27. Androbugs
Trueeseeing
Insider
Number of failures
0 425 850 1275 1700
RQ2: What are the capabilities of existing automated static analysis tools in terms of
mobile app analyzability, frequency of detection, and complementarity among them?
28. Androbugs
Trueeseeing
Insider
Number of failures
0 425 850 1275 1700
Androbugs and Insider fails in 20% of the cases,
while, Trueseeing in 25% of the cases
RQ2: What are the capabilities of existing automated static analysis tools in terms of
mobile app analyzability, frequency of detection, and complementarity among them?
29. Androbugs
Trueeseeing
Insider
Number of failures
0 425 850 1275 1700
Androbugs and Insider fails in 20% of the cases,
while, Trueseeing in 25% of the cases
We found that these tools typically fail due to
miscon
fi
guration and wrong dependencies
usage
RQ2: What are the capabilities of existing automated static analysis tools in terms of
mobile app analyzability, frequency of detection, and complementarity among them?
30. WebView
SSL Security
Sensitive Information
External Storage
StrandHogg
Implicit Intent
Command
KeyStore
Hacker
Remove Android Device Lock
Frequency of Detection
0 4.000 8.000 12.000 16.000
RQ2: What are the capabilities of existing automated static analysis tools in terms of
mobile app analyzability, frequency of detection, and complementarity among them?
Androbugs
31. Developers require an external
webpage and a malicious user could
inject using JavaScript malicious
components inside the webpage
WebView
RQ2: What are the capabilities of existing automated static analysis tools in terms of
mobile app analyzability, frequency of detection, and complementarity among them?
32. Androbugs
WebView
SSL Security
Sensitive Information
External Storage
StrandHogg
Implicit Intent
Command
KeyStore
Hacker
Remove Android Device Lock
Frequency of Detection
0 4.000 8.000 12.000 16.000
In almost 50% of the cases, the tools identi
fi
ed ‘Web
View’ and ‘SSL Security’ vulnerabilities: these pertain to
the ‘External Resources’ and ‘Insecure Communication’
categories of the taxonomy
RQ2: What are the capabilities of existing automated static analysis tools in terms of
mobile app analyzability, frequency of detection, and complementarity among them?
33. Detect Logging
Detect URL
Detect Possible FQDN
Detect Library
Detect Format String
Cyptographic Constants
Detect Path Component
Open Permission
Detect Possible IPV4 Address
Manipulable Broadcast Reveiver
Frequency of Detection
0 150.000 300.000 450.000 600.000
RQ2: What are the capabilities of existing automated static analysis tools in terms of
mobile app analyzability, frequency of detection, and complementarity among them?
Trueeseeing
34. RQ2: What are the capabilities of existing automated static analysis tools in terms of
mobile app analyzability, frequency of detection, and complementarity among them?
if (verifyUsername(username) && verifyPassword(password)) {
loginOK();
logger.log(Level.INFO, "Username: " + username);
logger.log(Level.INFO, "Password: " + password);
}
Detect Logging
fi
le
Developers could accidentally write
sensitive information in a log file, and
an attacker could identify these
information to try an attack
35. Trueeseeing
Detect Logging
Detect URL
Detect Possible FQDN
Detect Library
Detect Format String
Cyptographic Constants
Detect Path Component
Open Permission
Detect Possible IPV4 Address
Manipulable Broadcast Reveiver
Frequency of Detection
0 150.000 300.000 450.000 600.000
Almost 39% of the vulnerabilities found by the tools
are connected to the use of logging
fi
les, which fall
under the ‘Insecure Data’ category
RQ2: What are the capabilities of existing automated static analysis tools in terms of
mobile app analyzability, frequency of detection, and complementarity among them?
36. Exposed to sensitive information
Clear text of sensitive information
Frequency of Detection
0 1.000 2.000 3.000 4.000
RQ2: What are the capabilities of existing automated static analysis tools in terms of
mobile app analyzability, frequency of detection, and complementarity among them?
Insider
37. RQ2: What are the capabilities of existing automated static analysis tools in terms of
mobile app analyzability, frequency of detection, and complementarity among them?
This vulnerability occurs when the developer does
not use protection mechanisms appropriately
when sharing or saving sensitive information
Exposed to sensitive information
38. Insider
Exposed to sensitive information
Clear text of sensitive information
Frequency of Detection
0 1.000 2.000 3.000 4.000
Almost 60% of the vulnerabilities found by the tools
are connected to the use of ‘Expose to sensitive
information’, which fall under the ’Privacy’ category
RQ2: What are the capabilities of existing automated static analysis tools in terms of
mobile app analyzability, frequency of detection, and complementarity among them?
39. Insider
Exposed to sensitive information
Clear text of sensitive information
Frequency of Detection
0 1.000 2.000 3.000 4.000
RQ2: What are the capabilities of existing automated static analysis tools in terms of
mobile app analyzability, frequency of detection, and complementarity among them?
Almost 60% of the vulnerabilities found by the tools
are connected to the use of ‘Expose to sensitive
information’, which fall under the ’Privacy’ category
Although according to the of
fi
cial documentation, the
tool can detect each vulnerability on the OWASP top 10.
We observed a partial mismatch between the
documentation and the real vulnerability detected
42. Di
ff
erent tools can detect di
ff
erent security-related
concerns with di
ff
erent frequencies
Key
fi
ndings of RQ2 - Frequency
43. Key
fi
ndings of RQ2 - Frequency
Di
ff
erent tools can detect di
ff
erent security-related
concerns with di
ff
erent frequencies
There are vulnerabilities almost never detected by these
tools (e.g., Improper Access Control)
44. Key
fi
ndings of RQ2 - Frequency
Di
ff
erent tools can detect di
ff
erent security-related
concerns with di
ff
erent frequencies
There are vulnerabilities almost never detected by these
tools (e.g., Improper Access Control)
A deeper analysis of the actual support provided by these
tools could be necessary
46. AndroBugs and Trueseeing can cover di
ff
erent
security-related problems, suggesting a sort of
complementarity between them
Key
fi
ndings of RQ2 - Complementarity
47. Key
fi
ndings of RQ2 - Complementarity
AndroBugs and Trueseeing can cover di
ff
erent
security-related problems, suggesting a sort of
complementarity between them
Insider can detect only a subset of vulnerabilities
also detected by Androbug and Trueseeing
50. Replication package
Scan me!
Summing up
The results obtained indicate that:
The selected tools can detect 11 high-level
vulnerabilities categories and 41 low-level ones
51. Replication package
Scan me!
Summing up
The results obtained indicate that:
The selected tools can detect 11 high-level
vulnerabilities categories and 41 low-level ones
The selected tools only partially cover the top-10
risks by OWASP
52. Replication package
Scan me!
Summing up
The results obtained indicate that:
The selected tools can detect 11 high-level
vulnerabilities categories and 41 low-level ones
The selected tools only partially cover the top-10
risks by OWASP
Practitioners should combine multiple tools to
identify as many vulnerabilities as possible
53. Replication package
Scan me!
Summing up Future Works
The results obtained indicate that:
The selected tools can detect 11 high-level
vulnerabilities categories and 41 low-level ones
The selected tools only partially cover the top-10
risks by OWASP
Practitioners should combine multiple tools to
identify as many vulnerabilities as possible
54. Replication package
Scan me!
Summing up Future Works
The results obtained indicate that:
The selected tools can detect 11 high-level
vulnerabilities categories and 41 low-level ones
The selected tools only partially cover the top-10
risks by OWASP
Practitioners should combine multiple tools to
identify as many vulnerabilities as possible
Manual evaluation of the accuracy of selected static
analysis tools
55. Replication package
Scan me!
Summing up Future Works
The results obtained indicate that:
The selected tools can detect 11 high-level
vulnerabilities categories and 41 low-level ones
The selected tools only partially cover the top-10
risks by OWASP
Practitioners should combine multiple tools to
identify as many vulnerabilities as possible
Manual evaluation of the accuracy of selected static
analysis tools
Expand the study by including other tools (e.g., machine
learning tools)
56. Replication package
Scan me!
Summing up Future Works
Manual evaluation of the accuracy of selected static
analysis tools
Expand the study by including other tools (e.g., machine
learning tools)
Expand the dataset to include paid applications
The results obtained indicate that:
The selected tools can detect 11 high-level
vulnerabilities categories and 41 low-level ones
The selected tools only partially cover the top-10
risks by OWASP
Practitioners should combine multiple tools to
identify as many vulnerabilities as possible
59. Selected tools
We selected tools based on four criteria:
Open-source and available on GitHub
Take an apk file as input
Perform a static analysis of the source code
Can be run using the command line
A large number of stars on GitHub
60. Detection of tools
AndroBugs: 52 categories includes: Permission Issues, Exposure of
Sensitive Information, and Insecure Communications
Trueeseeing: 7 types of security issues: Improper Platform Usage, Insecure
Data, Insecure Communications, Insufficient Cryptography, Client Code
Quality Issues, Code Tampering, and Reverse Engineering
Insider: The tool cover the OWASP Top 10 vulnerabilities and support
multiple programming language like Java, Kotlin, Swift, .NET and others
61. Apk Selection
Only apps available on Google Play Store
Only apps with a minimum of 1000 installations
Only apps with application size more than 1MB
62. Risk vs vulnerability
Vulnerability refers to a weakness in your hardware, software. It’s a gap
through which a bad actor can gain access to your assets. In other words,
threats exploit vulnerabilities.
Risk is a potential threat that can in some cases be exploited and become a
vulnerability