SCG News

Smelly APIs in Android ICC Analysis of source code and relevant metadata

Astrid Ytrehorn. Smelly APIs in Android ICC Analysis of source code and relevant metadata. Bachelor’s thesis, University of Bern, September 2018. Details.

Abstract

The Android ecosystem allows development of apps with relative ease through the extensive Android API. When developing the apps, security issues are often overlooked by the developers. This thesis is based on a previous work which identified 12 such Inter Component Communication (ICC) security smells that can lead to numerous security breaches in the system. A static code analysis tool based on Android Lint was developed to identify them. To further understand why some of these smells are so prominent, this thesis evaluated their appearances based on several aspects. First the influence of developers in the projects was examined. The association of developers to different apps was cross-referenced with the occurrence of smells per project and we found that for most smells the developers have a tendency to make the mistake over more than one project. We also examined how updates affect smells. The updates rarely brought a change in smells and if they did they tended to have a negative impact. We performed a manual analysis of 100 apps with the most smells. The lint-based tool was found to have a good and correct detection rate. In the next study we examined if the smells that went unreported by the tool were correctly labeled as such and the reason for not them not being detected. In most cases this was due to the relevant Android API not being used. Finally, we did a study on the location of smells in the code base. We expanded the existing linting tool to include more metadata and analyzed all the apps once more. The different smell categories tended to have a varying degree of displacement of individual smells in the code base. The average number of distinct locations grew in the order of Java package, containing class and surrounding method for most of the smells. This thesis aims to help spread awareness abut ICC security smells and thereby fundamentally reduce the attack surface in Android.

Posted by scg at 4 September 2018, 4:15 pm comment link

Software Testing in Industry — Assessing Unit Testing in an Industrial Software Project

Markus Eggimann. Software Testing in Industry — Assessing Unit Testing in an Industrial Software Project. Bachelor’s thesis, University of Bern, September 2018. Details.

Abstract

Automated testing is an important technique to ensure the quality of a software system, and there is a general consensus in industry that testing is a critical part of the development process. However, recent studies suggest that unit testing is not that widely practiced. In this thesis, we studied an industrial software project called EPOF with respect to testing. We tried to answer the question whether the discovery of bugs pushes the writing of tests, whether unit tests help to prevent bugs, and whether the system’s architecture facilitates or impedes unit testing. To answer those questions, we studied the bug reports and associated bug fix reports of the project. Our results showed that the test coverage was rather low, and most bugs were fixed without adding or changing any tests, most bugs were detected by manual testers or customers and not by the existing tests and that the testability of the code is low in most parts of the system. In 2017, the development team decided to give unit testing higher priority. Our results show that this decision, together with other development process improvements, indeed had a positive effect on the bug rate and the testability of the system.

Posted by scg at 2 September 2018, 4:15 pm comment link

Modular Exceptions — A system for handling exceptions in a modular way

Patrick Indermühle. Modular Exceptions — A system for handling exceptions in a modular way. Bachelor’s thesis, University of Bern, September 2018. Details.

Abstract

Exception handling is an integral part of programming. However, it is often not written in a way that makes it easily reusable. We have found exception handling code to often be copy pasted across multiple catch blocks instead of being made into a method. We also found that there are certain patterns across different methods when it comes to exception handling. That is why reusable exception handling would be a helpful feature for software development. By creating Modular Exceptions we offer a solution that enables programmers to easily apply and reuse exception handling to multiple methods. We achieved this by analyzing the knowledge gathered in previous research about exception handling and performing our own research of exception handling in Smalltalk. We then studied different implementation approaches such as dynamically rewriting the source code and method wrappers until we found the optimal approach. Our final product is written in Java and uses AspectJ in order to dynamically insert try-catch blocks into methods and to add exception handling into already existing catch blocks. These handler blocks are compatible with many methods and classes, and the user only has to write a few lines of code to get a specific method covered.

Posted by scg at 2 September 2018, 4:15 pm comment link

Smelly APIs in Android ICC Analysis of source code and relevant metadata

Astrid Ytrehorn. Smelly APIs in Android ICC Analysis of source code and relevant metadata. Bachelor’s thesis, University of Bern, September 2018. Details.

Abstract

The Android ecosystem allows development of apps with relative ease through the extensive Android API. When developing the apps, security issues are often overlooked by the developers. This thesis is based on a previous work which identified 12 such Inter Component Communication (ICC) security smells that can lead to numerous security breaches in the system. A static code analysis tool based on Android Lint was developed to identify them. To further understand why some of these smells are so prominent, this thesis evaluated their appearances based on several aspects. First the influence of developers in the projects was examined. The association of developers to different apps was cross-referenced with the occurrence of smells per project and we found that for most smells the developers have a tendency to make the mistake over more than one project. We also examined how updates affect smells. The updates rarely brought a change in smells and if they did they tended to have a negative impact. We performed a manual analysis of 100 apps with the most smells. The lint-based tool was found to have a good and correct detection rate. In the next study we examined if the smells that went unreported by the tool were correctly labeled as such and the reason for not them not being detected. In most cases this was due to the relevant Android API not being used. Finally, we did a study on the location of smells in the code base. We expanded the existing linting tool to include more metadata and analyzed all the apps once more. The different smell categories tended to have a varying degree of displacement of individual smells in the code base. The average number of distinct locations grew in the order of Java package, containing class and surrounding method for most of the smells. This thesis aims to help spread awareness abut ICC security smells and thereby fundamentally reduce the attack surface in Android.

Posted by scg at 2 September 2018, 4:15 pm comment link

Benchmarking Android Data Leak Detection Tools

Timo Spring. Benchmarking Android Data Leak Detection Tools. Bachelor’s thesis, University of Bern, August 2018. Details.

Abstract

In 2017, Android hit a global mobile market share of 88% which makes it the most popular mobile platform. Application stores, such as the Google Play Store, are offering millions of mobile applications to consumers, which are installed and updated on a daily basis. However, the security of those applications is a major concern. A thorough security analysis before the publication of each application is time and resource consuming. Hence, platform providers cannot and do not manually vet every application handed in for publication. Consequently, many malicious and vulnerable applications find their way to the app stores and through there to the end users’ devices. Those applications exhibit serious security issues, such as leaking of sensitive information. During the previous years, researchers proposed a myriad of techniques and tools to detect such issues. There also exist large scale taxonomies classifying such tools into different categories. However, it is unclear how these tools perform compared to each other. Such a comparison is almost infeasible, since most tools are no longer available or cannot be set up any more. In this work, we review static analysis tools for detecting data leaks in Android applications. Out of 87 tools in the vulnerability detection domain, we are able to obtain 22 tools. We then identify 5 tools in the data leak detection domain and run them. We run them on a given data set with known data leak vulnerabilities and compare their performance. Furthermore, we run the tools on a larger set of real-world applications to assess the prevalence of data leak issues in open-source Android applications. We propose our own approach — DistillDroid — to compare security analysis tools by normalising their interfaces. This simplifies result reproduction and extension to other security vulnerability domains. In addition, the user experience and usability is highly improved.

Posted by scg at 17 August 2018, 11:15 am comment link
<< 1 2 3 4 5 6 7 8 9 10 >>
Last changed by admin on 21 April 2009