ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2019, Vol. 56 ›› Issue (11): 2315-2329.doi: 10.7544/issn1000-1239.2019.20190348

Special Issue: 2019密码学与智能安全研究专题

Previous Articles     Next Articles

TipTracer: Detecting Android Application Vulnerabilities Based on the Compliance with Security Guidance

Zhang Lei, Yang Zhemin, Li Mingqi, Yang Min   

  1. (Software School, Fudan University, Shanghai 201203)
  • Online:2019-11-12

Abstract: Many security vulnerabilities are caused by the unsafe use of library programming interfaces. To protect applications from security attacks, library designers provide security tips to help developers use security-sensitive APIs correctly. However, developers often fail to follow security tips, which can introduce vulnerabilities to their programs. To evaluate the scale and impact of this problem, we conduct the first systematic, large-scale study on security tips and their violations in Android apps. Our study shows that existing security tips are less effective, due to their imprecise descriptions, misleading sample code, incorrect default settings, fragmentation (scattered across different sources), and lack of compliance check. As a result, the significant portion of Android apps we analyze are found to be vulnerable. To help the security guidance better followed by app developers, we propose TipTracer, a framework for verifying Android security tips automatically and efficiently. TipTracer contains a security property language that formally describes constraints expressed in security tips and a static code analyzer that checks whether applications satisfy security tips. We demonstrate the effectiveness, efficiency and usability of TipTracer using a large set of real-world apps.

Key words: Android security tips, Android apps, security property language, static code analyzer, vulnerability detection

CLC Number: