Image Reference: http://www.mmatechs.com/solutions.html http://www.gartner.com/newsroom/id/2867917 Gartner: a leading software engineering research and advisory company Google play store 2.7 million apps
Total bad coding practices: The total count of bad coding practices detected by SonarQube. SonarQube uses a set of rules to identify bad coding practices through patterns determined statically in the code. The total count of bad coding practices detected by SonarQube includes the four following types of coding practices. Blocker practices: SonarQube categorizes a bad coding practice as blocker if the practice corresponds to an issue that might make the whole application unstable in production, such as not closing a socket or calling the garbage collector object. Critical practices: SonarQube categorizes a bad coding practice as critical if the bad practice corresponds to an issue that might lead to unexpected behavior, e.g. a null Pointer exception, without jeopardizing the integrity of the whole application. Major practices: SonarQube categorizes a bad coding practice as major if the bad coding practice corresponds to an issue that might lead to extra rework. In SonarQube extra rework refers to task that is not directly related to the programming task itself, for example working with complex methods or working through packing cycles. Minor practices: SonarQube categorizes a bad coding practice as minor if the bad coding practice corresponds to an issue that does not lead to extra rework.
Duplicated blocks: The count of duplicated blocks. A portion of a Java source file is considered a duplicated block if it contains at least 10 successive and duplicated statements, regardless of the number of tokens and lines. Duplicated lines: The total count of physical lines involved in duplication. As a hypothetical example, for an Android application if SonarQube detects 3 duplicated blocks in two Java source files that span across 20 lines each, then duplicated lines for that application will be 60. Duplicated files: The count of Java source files for which at least one duplicated block is detected
Class complexity: The average McCabe’s complexity for each class in the Android application. Comment lines: The count of lines that includes one or multiple comments, excluding comments that only include special symbols such as @, #, and $. Complexity: This metric is also known as McCabe’s complexity or cyclomatic complexity that describes how many times the control flow of function is split across the application . Density of comment lines: This metric is measured as following: (comment lines / (lines of code + comment lines)) * 100 Directories: The number of directories or folders in the application. Files: The number of Java source files in the application. File complexity: The average amount of McCabe’s complexity for each Java source file in the Android application. Function complexity: The average amount of McCabe’s complexity for each method in the Android application. Lines: The number of physical lines, including carriage returns, in the application. Lines of code: The number of physical lines that contain at least one character, excluding whitespaces, tabs, or strings that are part of a comment. Methods: The number of Java methods for the application. Number of classes: The number of classes in the application. Percentage of comments: This metric is computed as following: (comment lines / (lines of code + comment lines) * 100). Percentage of duplicated lines: This metric is computed as following: (duplicated lines / lines * 100).
r-SVM can be used to build a prediction model for predicting security and privacy risk that takes static code metrics as input. We observe an average precision of 0.83 considering five levels of security and privacy risk for r-SVM.
Predicting Android Application Security and Privacy Risk With Static Code Metrics
Predicting Android Application
Security and Privacy Risk With
Static Code Metrics
Akond Rahman*, Priysha Pradhan*, Asif Partho**, and
North Carolina State University*, Nested Apps**
• Mobile applications are susceptible to security
and privacy risk
• Can we help app developers assess security
and privacy risk?
The goal of this paper is to aid Android
application developers in assessing the security
and privacy risk associated with Android
applications by using static code metrics as
• An evaluation of how static code metrics can
be used to predict the security and privacy risk
with the help of statistical learners
• RQ: How effectively can statistical learners be
used to predict security and privacy risk using
static code metrics?
Dataset from Krutz
Check if AndroRisk
Scores are Available
• Dataset from Krutz et al. included 4,416 Android
• 1,407 applications included AndroRisk scores.
AndroRisk is a tool that is part of the AndroGuard
• Five risk levels: very low (VL), low (L), medium (M),
high (H), very high (VH)
• Dataset from Krutz et al. included 21 code metrics
Bad Coding Practice Blocker practices, Critical practices, Major practices,
Minor practices, Total bad coding practices
Duplication Duplicated blocks, Duplicated files, Duplicated lines
Object-oriented Class complexity, Comment lines, Complexity, Density of
comment lines, Files, File complexity, Function complexity,
Lines, Lines of code, Methods, Number of classes,
Percentage of comments, Percentage of duplicated lines
Empirical Findings: Feature Selection
• One principal component, 98.9% variance
• Top contributing static code metrics
– lines of code
– total bad coding practices
Empirical Findings: Prediction
VL L M H VH
CART kNN r-SVM RF
Empirical Findings: Prediction
VL L M H VH
CART kNN r-SVM RF
Empirical Findings: RQ
–r-SVM can be used to build a prediction
model for predicting security and privacy
risk that takes static code metrics as input.
• Static code metrics: bad coding practice, lines
• IDE enhancement: extend existing Android-
specific IDEs such as AndroidStudio, AIDE
• Use of static code metrics
• Selection of statistical learners
• With proper use of statistical learners, static
code metrics can be useful to predict security
and privacy risk for Android applications. Even
though they are not comprehensive for
predicting security and privacy risk.