A development methodology to help build secure mobile apps by Joydeep Mitra BTECH, West Bengal University of Technology, 2010 AN ABSTRACT OF A DISSERTATION submitted in partial fulfillment of the requirements for the degree DOCTOR OF PHILOSOPHY Department of Computer Science Carl R. Ice College of Engineering KANSAS STATE UNIVERSITY Manhattan, Kansas 2020 Abstract Mobile apps provide various critical services, such as banking, communication, and healthcare. To this end, they have access to our personal information and have the ability to perform actions on our behalf. Hence, securing mobile apps is crucial to ensuring the privacy and safety of its users. Recent research efforts have focused on developing solutions to help secure mobile ecosys- tems (i.e., app platforms, apps, and app stores), specifically in the context of detecting vul- nerabilities in Android apps. Despite this attention, known vulnerabilities are often found in mobile apps, which can be exploited by malicious apps to cause harm to the user. Fur- ther, fixing vulnerabilities after developing an app has downsides in terms of time, resources, user inconvenience, and information loss. Consequently, there is scope to explore alternative approaches that will help developers construct secure mobile apps. Since Android and the apps that run on it are most readily available and widely used, this dissertation investigates mobile app security and solutions to secure mobile apps in the context of Android apps in two ways: (1) systematically catalog vulnerabilities known to occur in Android apps in a benchmark suite with desirable characteristics called Ghera. Ghera facilitates the continuous and rigorous evaluation of Android app security analysis tools and techniques, and (2) extend existing mobile app design artifacts such as storyboards to enable a mobile app development methodology called SeMA. SeMA considers security as a first-class citizen of an app's design and shows that many known vulnerabilities can be detected and eliminated while constructing an app's storyboard. A realization of SeMA using Android Studio tooling can prevent 49 of the 60 vulnerabilities known to occur in Android apps. A usability study with ten real-world developers using the methodology shows that the methodology is likely to help reduce development time and uncover vulnerabilities in an app's design. A development methodology to help build secure mobile apps by Joydeep Mitra BTECH, West Bengal University of Technology, 2010 A DISSERTATION submitted in partial fulfillment of the requirements for the degree DOCTOR OF PHILOSOPHY Department of Computer Science Carl R. Ice College of Engineering KANSAS STATE UNIVERSITY Manhattan, Kansas 2020 Approved by: Co-Major Professor Robby Approved by: Co-Major Professor Venkatesh-Prasad Ranganath Copyright c Joydeep Mitra 2020. Abstract Mobile apps provide various critical services, such as banking, communication, and healthcare. To this end, they have access to our personal information and have the ability to perform actions on our behalf. Hence, securing mobile apps is crucial to ensuring the privacy and safety of its users. Recent research efforts have focused on developing solutions to help secure mobile ecosys- tems (i.e., app platforms, apps, and app stores), specifically in the context of detecting vul- nerabilities in Android apps. Despite this attention, known vulnerabilities are often found in mobile apps, which can be exploited by malicious apps to cause harm to the user. Fur- ther, fixing vulnerabilities after developing an app has downsides in terms of time, resources, user inconvenience, and information loss. Consequently, there is scope to explore alternative approaches that will help developers construct secure mobile apps. Since Android and the apps that run on it are most readily available and widely used, this dissertation investigates mobile app security and solutions to secure mobile apps in the context of Android apps in two ways: (1) systematically catalog vulnerabilities known to occur in Android apps in a benchmark suite with desirable characteristics called Ghera. Ghera facilitates the continuous and rigorous evaluation of Android app security analysis tools and techniques, and (2) extend existing mobile app design artifacts such as storyboards to enable a mobile app development methodology called SeMA. SeMA considers security as a first-class citizen of an app's design and shows that many known vulnerabilities can be detected and eliminated while constructing an app's storyboard. A realization of SeMA using Android Studio tooling can prevent 49 of the 60 vulnerabilities known to occur in Android apps. A usability study with ten real-world developers using the methodology shows that the methodology is likely to help reduce development time and uncover vulnerabilities in an app's design. Table of Contents List of Figures . xiii List of Tables . xv Acknowledgements . xix Dedication . xxi Preface . xxii 1 Introduction . .1 1.1 Motivation . .1 1.2 Contributions . .5 1.3 Organization . .8 2 Ghera: A Repository of Android App Vulnerability Benchmarks . .9 2.1 Motivation . .9 2.2 What is Ghera? . 10 2.2.1 Design Choices . 10 2.2.2 Structure and Content . 12 2.2.3 Workflow . 15 2.3 Desirable Characteristics of Vulnerability Benchmarks . 15 2.3.1 Context . 15 2.3.2 Vulnerability Benchmark Characteristics . 16 2.3.3 Vulnerability Benchmark Repository Characteristics . 22 vi 2.3.4 Characteristics of Ghera . 23 2.4 Limitations and Threats to Validity . 25 2.5 Conclusion . 26 3 Analyzing Android App Vulnerability Benchmark Suites . 27 3.1 Motivation . 28 3.2 Concepts and Subjects . 29 3.2.1 Measuring Representativeness . 29 3.2.2 Considered Benchmarks . 30 3.2.3 Real-world Apps . 31 3.3 Experiment . 32 3.3.1 Preparing the benchmarks . 32 3.3.2 API-based App Profiling . 34 3.3.3 Using Android app developer discussions in Stack Overflow to identify relevant and security-related APIs . 36 3.3.4 Calculating Representativeness . 37 3.4 RQ1:Representativeness . 38 3.4.1 Discussion . 39 3.4.2 What about Security-related APIs? . 40 3.5 RQ2: Comparison . 42 3.5.1 DroidBench vs Ghera . 42 3.5.2 DroidBench vs ICC-Bench . 44 3.5.3 DroidBench vs UBCBench . 44 3.5.4 Ghera vs ICC-Bench . 45 3.5.5 Ghera vs UBCBench . 45 3.6 Threats to Validity . 46 3.7 Evaluation Artifacts . 47 3.8 Related Work . 47 vii 3.9 Conclusion . 48 4 Analyzing Android App Vulnerability Detection Tools . 49 4.1 Motivation . 50 4.2 Evaluation Strategy . 51 4.2.1 Benchmark Selection . 53 4.2.2 Tool Selection . 54 4.3 Experiment . 57 4.3.1 Ensuring Fairness . 58 4.4 Observation and Open Questions . 61 4.4.1 Tools Selection . 61 4.4.2 Vulnerability Detection Tools . 62 4.5 Threats to Validity . 72 4.6 Evaluation Artifacts . 74 4.7 Related Work . 74 4.8 Conclusion . 76 5 SeMA: A Development Methodology to Secure Android Apps . 78 5.1 Motivation . 79 5.2 Background . 79 5.3 The Methodology . 82 5.3.1 Extended Storyboard . 83 5.3.2 A Formal Specification of SeMA . 88 5.3.3 Security Properties . 103 5.3.4 Analysis . 104 5.3.5 Code Generation . 116 5.4 Canonical Examples . 119 5.4.1 Data Injection Example . 119 viii 5.4.2 Data Leak Example . 123 5.5 Implementation . 127 5.6 Evaluation . 128 5.6.1 Effectiveness . 128 5.6.2 Usability . 133 5.7 Open Challenges . 153 5.8 Artifacts . 154 5.9 Conclusion . 155 6 Summary and Future Directions . 156 6.1 Future Directions . 157 Bibliography . 160 A Catalog of Benchmarks . 177 A.1 Crypto . ..