SCG News

Benchmarking Android Data Leak Detection Tools

Timo Spring. Benchmarking Android Data Leak Detection Tools. Bachelor’s thesis, University of Bern, August 2018. Details.


In 2017, Android hit a global mobile market share of 88% which makes it the most popular mobile platform. Application stores, such as the Google Play Store, are offering millions of mobile applications to consumers, which are installed and updated on a daily basis. However, the security of those applications is a major concern. A thorough security analysis before the publication of each application is time and resource consuming. Hence, platform providers cannot and do not manually vet every application handed in for publication. Consequently, many malicious and vulnerable applications find their way to the app stores and through there to the end users’ devices. Those applications exhibit serious security issues, such as leaking of sensitive information. During the previous years, researchers proposed a myriad of techniques and tools to detect such issues. There also exist large scale taxonomies classifying such tools into different categories. However, it is unclear how these tools perform compared to each other. Such a comparison is almost infeasible, since most tools are no longer available or cannot be set up any more. In this work, we review static analysis tools for detecting data leaks in Android applications. Out of 87 tools in the vulnerability detection domain, we are able to obtain 22 tools. We then identify 5 tools in the data leak detection domain and run them. We run them on a given data set with known data leak vulnerabilities and compare their performance. Furthermore, we run the tools on a larger set of real-world applications to assess the prevalence of data leak issues in open-source Android applications. We propose our own approach — DistillDroid — to compare security analysis tools by normalising their interfaces. This simplifies result reproduction and extension to other security vulnerability domains. In addition, the user experience and usability is highly improved.

Posted by scg at 17 August 2018, 11:15 am comment link

Overcoming Issues of 3D Software Visualization through Immersive Augmented Reality

Leonel Merino, Alexandre Bergel, and Oscar Nierstrasz. Overcoming Issues of 3D Software Visualization through Immersive Augmented Reality. In VISSOFT’18: Proceedings of the 6th IEEE Working Conference on Software Visualization, IEEE, 2018. Details.


Several usability issues (i.e., navigation, occlusion, selection, and text readability) affect the few 3D visualizations proposed to support developers on software engineering tasks. We observe that most 3D software visualizations are displayed on a standard computer screen, and hypothesize that displaying them in immersive augmented reality can help to (i) overcome usability issues of 3D visualizations, and (ii) increase their effectiveness to support software concerns. We investigate our hypothesis via a controlled experiment. In it, nine participants use 3D city visualizations displayed on a Microsoft HoloLens device to complete a set of software comprehension tasks. We further investigate our conjectures through an observational user study, in which the same participants of the experiment use a space-time cube visualization to analyze program executions. We collect data to (1) quantitatively analyze the effectiveness of visualizations in terms of user performance (i.e., completion time, correctness, and recollection), and user experience (i.e., difficulty, and emotions); and (2) qualitatively analyze how immersive augmented reality helps to overcome the limitations of 3D visualizations. We found that immersive augmented reality facilitates navigation and reduces occlusion, while performance is adequate, and developers obtain an outstanding experience. Selection and text readability still remain open issues.

Posted by scg at 18 July 2018, 4:15 pm comment link

Idea: Benchmarking Android Data Leak Detection Tools

Claudio Corrodi, Timo Spring, Mohammad Ghafari, and Oscar Nierstrasz. Idea: Benchmarking Android Data Leak Detection Tools. In Mathias Payer, Awais Rashid, and Jose M. Such (Ed.), Engineering Secure Software and Systems, p. 116—123, Springer International Publishing, Cham, 2018. Details.


Virtual application stores for mobile platforms contain many malign and benign applications that exhibit security issues, such as the leaking of sensitive data. In recent years, researchers have proposed a myriad of techniques and tools to detect such issues automatically. However, it is unclear how these approaches perform compared to each other. The tools are often no longer available, thus comparing different approaches is almost infeasible.

Posted by scg at 1 July 2018, 2:15 pm comment link

Security in Android ICC

Patrick Frischknecht. Security in Android ICC. Bachelor’s thesis, University of Bern, June 2018. Details.


Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the integrated development environment (IDE) about the presence of such security smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of these apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.

Posted by scg at 25 June 2018, 12:15 pm 1 comment link

A Systematic Literature Review of Software Visualization Evaluation

Leonel Merino, Mohammad Ghafari, Craig Anslow, and Oscar Nierstrasz. A Systematic Literature Review of Software Visualization Evaluation. In Journal of Systems and Software 144 p. 165-180, October 2018. Details.


Abstract Context: Software visualizations can help developers to analyze multiple aspects of complex software systems, but their effectiveness is often uncertain due to the lack of evaluation guidelines. Objective: We identify common problems in the evaluation of software visualizations with the goal of formulating guidelines to improve future evaluations. Method: We review the complete literature body of 387 full papers published in the SOFTVIS/VISSOFT conferences, and study 181 of those from which we could extract evaluation strategies, data collection methods, and other aspects of the evaluation. Results: Of the proposed software visualization approaches, 62% lack a strong evaluation. We argue that an effective software visualization should not only boost time and correctness but also recollection, usability, engagement, and other emotions. Conclusion: We call on researchers proposing new software visualizations to provide evidence of their effectiveness by conducting thorough (i) case studies for approaches that must be studied in situ, and when variables can be controlled, (ii) experiments with randomly selected participants of the target audience and real-world open source software systems to promote reproducibility and replicability. We present guidelines to increase the evidence of the effectiveness of software visualization approaches, thus improving their adoption rate.

Posted by scg at 21 June 2018, 2:15 pm comment link
<< 1 2 3 4 5 6 7 8 9 10 >>
Last changed by admin on 21 April 2009