Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Predicting Android Application Security and Privacy Risk With Static Code Metrics

70 views

Published on

by Akond Rahman, Priysha Pradhan, Asif Partho, Laurie Williams

Published in: Software
  • Be the first to comment

  • Be the first to like this

Predicting Android Application Security and Privacy Risk With Static Code Metrics

  1. 1. 1 Predicting Android Application Security and Privacy Risk With Static Code Metrics Akond Rahman*, Priysha Pradhan*, Asif Partho**, and Laurie Williams* North Carolina State University*, Nested Apps** Contact: aarahman@ncsu.edu
  2. 2. 2 Motivation • Mobile applications are susceptible to security and privacy risk • Can we help app developers assess security and privacy risk? http://www.cbsnews.com/news/mobile-phone-apps-malware-risks-how-to-prevent-hacking-breach/ http://www.techrepublic.com/article/bad-news-android-devs-40-percent-of-apps-in-the-market-are-leaving-sensitive- backdoors-exposed/
  3. 3. 3 Research Objective The goal of this paper is to aid Android application developers in assessing the security and privacy risk associated with Android applications by using static code metrics as predictors.
  4. 4. 4 Our Contribution • An evaluation of how static code metrics can be used to predict the security and privacy risk with the help of statistical learners
  5. 5. 5 Research Question • RQ: How effectively can statistical learners be used to predict security and privacy risk using static code metrics?
  6. 6. 6 Methodology Dataset from Krutz et al. Clustering Check if AndroRisk Scores are Available Feature Selection, Statistical Learners, Cross Validation
  7. 7. 7 Dataset • Dataset from Krutz et al. included 4,416 Android applications • 1,407 applications included AndroRisk scores. AndroRisk is a tool that is part of the AndroGuard toolchain • Five risk levels: very low (VL), low (L), medium (M), high (H), very high (VH) http://blog.k3170makan.com/2014/11/automated-dex-decompilation-using.html
  8. 8. 8 Dataset • Dataset from Krutz et al. included 21 code metrics Category Metrics Bad Coding Practice Blocker practices, Critical practices, Major practices, Minor practices, Total bad coding practices Duplication Duplicated blocks, Duplicated files, Duplicated lines Object-oriented Class complexity, Comment lines, Complexity, Density of comment lines, Files, File complexity, Function complexity, Lines, Lines of code, Methods, Number of classes, Percentage of comments, Percentage of duplicated lines https://www.sonarqube.org/community/logos/
  9. 9. 9 Empirical Findings: Feature Selection • One principal component, 98.9% variance • Top contributing static code metrics – lines of code – complexity – total bad coding practices
  10. 10. 10 Empirical Findings: Prediction Performance (Precision) 0 0.2 0.4 0.6 0.8 1 VL L M H VH Precision Risk level CART kNN r-SVM RF
  11. 11. 11 Empirical Findings: Prediction Performance (Recall) 0 0.2 0.4 0.6 0.8 1 VL L M H VH Recall Risk level CART kNN r-SVM RF
  12. 12. 12 Empirical Findings: RQ • Summary –r-SVM can be used to build a prediction model for predicting security and privacy risk that takes static code metrics as input.
  13. 13. 13 Implications • Static code metrics: bad coding practice, lines of code • IDE enhancement: extend existing Android- specific IDEs such as AndroidStudio, AIDE https://www.cloudbees.com/jenkinsworld/home https://puppet.com/puppetconf https://git-merge.com/
  14. 14. 14 Limitations • Generalization • Use of static code metrics • Selection of statistical learners
  15. 15. 15 Conclusion • With proper use of statistical learners, static code metrics can be useful to predict security and privacy risk for Android applications. Even though they are not comprehensive for predicting security and privacy risk.

×