This paper presents an innovative framework for the analysis of Mobile Applications, with specific emphasis on partial automation. Our methodology is based on a combination of static and dynamic analysis, allowing for increased overall accuracy. We adopted the OWASP “Mobile top 10” document as a guideline and a source for vulnerability relevance and statistics. The work has led to the development of a modular Framework, where each module aims at analyzing a specific vulnerability. The framework is multi-platform and allows to perform analyses on both Android and iOS devices. It also offers a graphical interface where the results of the analysis are reported. The implemented modules have focused, for the time being, on the analysis of Android applications, on the areas related to Data Storage and Network Communication, and on the Android Manifest. With the help of this framework, we have analyzed about 105 apps collected from the Google Play Store, for a number of different domains. In particular, we considered the apps that could collect and manage sensitive data, such as payment and banking data. The experimental results show that the framework is effective and accurate, and the set of discovered vulnerabilities suggest that it is necessary to increase security awareness not only for developers but also for users.
A modular framework for mobile security analysis
Bergadano F.
First
;Boetti M.;Costamagna V.;Evangelisti M.
2020-01-01
Abstract
This paper presents an innovative framework for the analysis of Mobile Applications, with specific emphasis on partial automation. Our methodology is based on a combination of static and dynamic analysis, allowing for increased overall accuracy. We adopted the OWASP “Mobile top 10” document as a guideline and a source for vulnerability relevance and statistics. The work has led to the development of a modular Framework, where each module aims at analyzing a specific vulnerability. The framework is multi-platform and allows to perform analyses on both Android and iOS devices. It also offers a graphical interface where the results of the analysis are reported. The implemented modules have focused, for the time being, on the analysis of Android applications, on the areas related to Data Storage and Network Communication, and on the Android Manifest. With the help of this framework, we have analyzed about 105 apps collected from the Google Play Store, for a number of different domains. In particular, we considered the apps that could collect and manage sensitive data, such as payment and banking data. The experimental results show that the framework is effective and accurate, and the set of discovered vulnerabilities suggest that it is necessary to increase security awareness not only for developers but also for users.File | Dimensione | Formato | |
---|---|---|---|
isjTFv4final.pdf
Accesso riservato
Descrizione: articolo versione pre editoriale
Tipo di file:
PREPRINT (PRIMA BOZZA)
Dimensione
1.18 MB
Formato
Adobe PDF
|
1.18 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.