Evaluating State-of-the-Art Free and Open Source Static Analysis Tools Against Buffer Errors in Android Apps

摘要

Modern mobile apps incorporate rich and complex features, opening the doors for different security concerns. Android is the dominant platform in mobile app markets, and enhancing its apps security is a considerable area of research. Android malware (introduced intentionally by developers) has been well studied and many tools are available to detect them. However, little attention has been directed to address vulnerabilities caused unintentionally by developers in Android apps. Static analysis has been one way to detect such vulnerabilities in traditional desktop and server side desktop. Therefore, our research aims at assessing static analysis tools that could be used by Android developers. Our preliminary analysis revealed that Buffer Errors are the most frequent type of vulnerabilities that threaten Android apps. Also, we found that Buffer Errors in Android apps have the highest risk on Android that affects data integrity, confidentiality, and availability. Our main study therefore tested whether state-of-the-art static analysis tools could detect Buffer Errors in Android apps. We investigated 6 static analysis tools that are designed to detect Buffer Errors. The study shows that the free and open source state-of-the-art static analysis tools do not efficiently discover Buffer Error vulnerabilities in Android apps. We analyzed the tools carefully to see why they could not discover Buffer Errors and found that the lack of semantic analysis capabilities, inapplicability to Android apps, and the gap between native code and other contexts were some of the reasons. Thus, we concluded that there is a need to build better free and open source static analysis tools for detecting Buffer Errors in Android apps.