SOURCERER: Developer-Driven Security Testing Framework for Android Apps

11/02/2021
by   Muhammad Sajidur Rahman, et al.
0

Frequently advised secure development recommendations often fall short in practice for app developers. Tool-driven (e.g., using static analysis tools) approaches lack context and domain-specific requirements of an app being tested. App developers struggle to find an actionable and prioritized list of vulnerabilities from a laundry list of security warnings reported by static analysis tools. Process-driven (e.g., applying threat modeling methods) approaches require substantial resources (e.g., security testing team, budget) and security expertise, which small to medium-scale app dev teams could barely afford. To help app developers securing their apps, we propose SOURCERER, a guiding framework for Android app developers for security testing. SOURCERER guides developers to identify domain-specific assets of an app, detect and prioritize vulnerabilities, and mitigate those vulnerabilities based on secure development guidelines. We evaluated SOURCERER with a case study on analyzing and testing 36 Android mobile money apps. We found that by following activities guided by SOURCERER, an app developer could get a concise and actionable list of vulnerabilities (24-61 a standalone static analyzer), directly affecting a mobile money app's critical assets, and devise a mitigation plan. Our findings from this preliminary study indicate a viable approach to Android app security testing without being overwhelmingly complex for app developers.

READ FULL TEXT

Please sign up or login with your details

Forgot password? Click here to reset