A Survey on Secure Android Apps Development Life-Cycle: Vulnerabilities and Tools

Tebib, Mohammed-El-Amin; Graa, Mariem; André, Pascal; Aktouf, Oum-El-Kheir

Home // International Journal On Advances in Security, volume 16, numbers 1 and 2, 2023 // View article

A Survey on Secure Android Apps Development Life-Cycle: Vulnerabilities and Tools

Authors:
Mohammed-El-Amin Tebib
Mariem Graa
Pascal André
Oum-El-Kheir Aktouf

Keywords: Android; Software development; DevSec; Secure Coding; Classification Framework; Security IDE Plugins.

Abstract:
Mobile devices are increasingly used in our daily lives. To fulfill the needs of smartphone users, the development of mobile applications has been growing at a high rate. As developers are not necessarily aware of security concerns, most of these applications do not address security aspects appropriately and usually contain vulnerabilities. Therefore, it is essential to incorporate security into the app development life-cycle. To help development teams to address security issues, several security integrated development environment (IDE) plugins have been proposed. In this paper, we aim to review the effectiveness of existing IDE plugins in detecting known Android vulnerabilities. We developed a classification framework that highlights the salient features related to 16 selected IDE plugins including: (1) the analysis-based approach, (2) the vulnerabilities checks coverage, and (3) the development stage, on which these tools could be employed. We proceeded to a deep analysis process where each tool effectiveness is investigated against 19 vulnerabilities. Each vulnerability has been demonstrated by executing a corresponding attack scenario on the recent version 12 of Android. The study results provide an overview of the current state of secure Android application development and highlight limitations and weaknesses. Limits such as: tools unavailability, benchmarks incompleteness, and the need of dynamic analysis approaches adoption are among the main findings of this study. The paper synthesizes valuable information for future research on IDE plugins for detecting Android-related vulnerabilities.

Pages: 54 to 71

Publication date: June 30, 2023

Published in: journal

ISSN: 1942-2636