Smelly APIs in Android ICC Analysis of source code and relevant metadata

Astrid Ytrehorn. Smelly APIs in Android ICC Analysis of source code and relevant metadata. Bachelor’s thesis, University of Bern, September 2018. Details.


The Android ecosystem allows development of apps with relative ease through the extensive Android API. When developing the apps, security issues are often overlooked by the developers. This thesis is based on a previous work which identified 12 such Inter Component Communication (ICC) security smells that can lead to numerous security breaches in the system. A static code analysis tool based on Android Lint was developed to identify them. To further understand why some of these smells are so prominent, this thesis evaluated their appearances based on several aspects. First the influence of developers in the projects was examined. The association of developers to different apps was cross-referenced with the occurrence of smells per project and we found that for most smells the developers have a tendency to make the mistake over more than one project. We also examined how updates affect smells. The updates rarely brought a change in smells and if they did they tended to have a negative impact. We performed a manual analysis of 100 apps with the most smells. The lint-based tool was found to have a good and correct detection rate. In the next study we examined if the smells that went unreported by the tool were correctly labeled as such and the reason for not them not being detected. In most cases this was due to the relevant Android API not being used. Finally, we did a study on the location of smells in the code base. We expanded the existing linting tool to include more metadata and analyzed all the apps once more. The different smell categories tended to have a varying degree of displacement of individual smells in the code base. The average number of distinct locations grew in the order of Java package, containing class and surrounding method for most of the smells. This thesis aims to help spread awareness abut ICC security smells and thereby fundamentally reduce the attack surface in Android.

Posted by scg at 4 September 2018, 4:15 pm link
Last changed by admin on 21 April 2009