This paper presents an innovative framework for the analysis of Mobile Applications, with specific emphasis on partial automation. Our methodology is based on a combination of static and dynamic analysis, allowing for increased overall accuracy. We adopted the OWASP “Mobile top 10” document as a guideline and a source for vulnerability relevance and statistics. The work has led to the development of a modular Framework, where each module aims at analyzing a specific vulnerability. The framework is multi-platform and allows to perform analyses on both Android and iOS devices. It also offers a graphical interface where the results of the analysis are reported. The implemented modules have focused, for the time being, on the analysis of Android applications, on the areas related to Data Storage and Network Communication, and on the Android Manifest. With the help of this framework, we have analyzed about 105 apps collected from the Google Play Store, for a number of different domains. In particular, we considered the apps that could collect and manage sensitive data, such as payment and banking data. The experimental results show that the framework is effective and accurate, and the set of discovered vulnerabilities suggest that it is necessary to increase security awareness not only for developers but also for users.

A modular framework for mobile security analysis

Bergadano F.
First
;
Boetti M.;Costamagna V.;Evangelisti M.
2020-01-01

Abstract

This paper presents an innovative framework for the analysis of Mobile Applications, with specific emphasis on partial automation. Our methodology is based on a combination of static and dynamic analysis, allowing for increased overall accuracy. We adopted the OWASP “Mobile top 10” document as a guideline and a source for vulnerability relevance and statistics. The work has led to the development of a modular Framework, where each module aims at analyzing a specific vulnerability. The framework is multi-platform and allows to perform analyses on both Android and iOS devices. It also offers a graphical interface where the results of the analysis are reported. The implemented modules have focused, for the time being, on the analysis of Android applications, on the areas related to Data Storage and Network Communication, and on the Android Manifest. With the help of this framework, we have analyzed about 105 apps collected from the Google Play Store, for a number of different domains. In particular, we considered the apps that could collect and manage sensitive data, such as payment and banking data. The experimental results show that the framework is effective and accurate, and the set of discovered vulnerabilities suggest that it is necessary to increase security awareness not only for developers but also for users.
2020
29
5
220
243
https://www.tandfonline.com/eprint/EZRTGJC7TYWSC8KU4JBU/full?target=10.1080/19393555.2020.1741743
Android security; dynamic analysis; mobile security; OWASP; static analysis
Bergadano F.; Boetti M.; Cogno F.; Costamagna V.; Leone M.; Evangelisti M.
File in questo prodotto:
File Dimensione Formato  
isjTFv4final.pdf

Accesso riservato

Descrizione: articolo versione pre editoriale
Tipo di file: PREPRINT (PRIMA BOZZA)
Dimensione 1.18 MB
Formato Adobe PDF
1.18 MB Adobe PDF   Visualizza/Apri   Richiedi una copia

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2318/1740302
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 5
  • ???jsp.display-item.citation.isi??? 3
social impact