SOURCERER: Developer-Driven Security Testing Framework for Android Apps
Frequently advised secure development recommendations often fall short in practice for app developers. Tool-driven (e.g., using static analysis tools) approaches lack context and domain-specific requirements of an app being tested. App developers struggle to find an actionable and prioritized list of vulnerabilities from a laundry list of security warnings reported by static analysis tools. Process-driven (e.g., applying threat modeling methods) approaches require substantial resources (e.g., security testing team, budget) and security expertise, which small to medium-scale app dev teams could barely afford. To help app developers securing their apps, we propose SOURCERER, a guiding framework for Android app developers for security testing. SOURCERER guides developers to identify domain-specific assets of an app, detect and prioritize vulnerabilities, and mitigate those vulnerabilities based on secure development guidelines. We evaluated SOURCERER with a case study on analyzing and testing 36 Android mobile money apps. We found that by following activities guided by SOURCERER, an app developer could get a concise and actionable list of vulnerabilities (24-61 a standalone static analyzer), directly affecting a mobile money app's critical assets, and devise a mitigation plan. Our findings from this preliminary study indicate a viable approach to Android app security testing without being overwhelmingly complex for app developers.
READ FULL TEXT