Publicação
App Threat Analysis: Combining static analysis with users’ feedback to accelerate app store response to mobile threats
| Resumo: | Today’s smart-phones are ubiquitous in people’s lives, collecting and storing private and confidential data. At the same time, users are exposed to mobile apps with bad engineering practices and to malicious apps, both endangering the security of their data. This happens because app stores face considerable challenges, like the efficient analysis of the huge volume of apps received, the moving target nature of the threats and the lack of accuracy of users’ feedback. In this dissertation we present a study on the use of automated verification tools of applications at the app market level for improving the security of the end users. This study led to a platform that combines static analysis tools for Android apps with users’ feedback to determine the apps threat level. We implemented this platform as a module and evaluated it in Aptoide - an Android app store - to support the quality assurance decisions of app inspection, which might lead to the removal of the app from the store. The assessment shows that for the 19% of the APKs ranked with the highest threat level, the proposed module only failed in 2%. This means that, in a context of an app store that receives thousands of apps per day, the module is able to inform with considerable certainty which apps need to be inspected by the quality assurance team with urgency, because are likely a threat to consumers. Therefore, the proposed solution contributes to accelerate the app store response to mobile threats and, consequently, to the reduction of its impact on app consumers. Although the module improves and strengthens the application verification process by uncovering problems that were not previously exposed, after we made more tests we realised that the specification of these problems could be further adjusted. |
|---|---|
| Autores principais: | Fernandes, Ana Patrícia Nunes |
| Assunto: | android apps app store services mobile quality assurance software testing static analysis |
| Ano: | 2018 |
| País: | Portugal |
| Tipo de documento: | dissertação de mestrado |
| Tipo de acesso: | acesso aberto |
| Instituição associada: | Universidade Nova de Lisboa |
| Idioma: | inglês |
| Origem: | Repositório Institucional da UNL |
| Resumo: | Today’s smart-phones are ubiquitous in people’s lives, collecting and storing private and confidential data. At the same time, users are exposed to mobile apps with bad engineering practices and to malicious apps, both endangering the security of their data. This happens because app stores face considerable challenges, like the efficient analysis of the huge volume of apps received, the moving target nature of the threats and the lack of accuracy of users’ feedback. In this dissertation we present a study on the use of automated verification tools of applications at the app market level for improving the security of the end users. This study led to a platform that combines static analysis tools for Android apps with users’ feedback to determine the apps threat level. We implemented this platform as a module and evaluated it in Aptoide - an Android app store - to support the quality assurance decisions of app inspection, which might lead to the removal of the app from the store. The assessment shows that for the 19% of the APKs ranked with the highest threat level, the proposed module only failed in 2%. This means that, in a context of an app store that receives thousands of apps per day, the module is able to inform with considerable certainty which apps need to be inspected by the quality assurance team with urgency, because are likely a threat to consumers. Therefore, the proposed solution contributes to accelerate the app store response to mobile threats and, consequently, to the reduction of its impact on app consumers. Although the module improves and strengthens the application verification process by uncovering problems that were not previously exposed, after we made more tests we realised that the specification of these problems could be further adjusted. |
|---|