Vulnerability detection in recent Android apps: An empirical study

Author(s): Faysal Hossain Shezan, Syeda Farzia Afroze & Anindya Iqbal
Venue: 2017 International Conference on Networking, Systems and Security (NSysS)
Date: 5-8 Jan. 2017

Type of Experiement: Controlled Experiment
Sample Size: 29
Class/Experience Level: Professional
Participant Selection: Apps are free for use and aimed at the mass people of the country
Data Collection Method: Observation


The goal of the study is to determine common security vulnerabilities amongst Android applications by using the following security tools: AndroidBugs, SandDroid and Qark. The researchers used these tools to test a number of security features such as vulnerability in storage access, attacking the web view, testing the strength of their encryption schemas, attacking their APIs, attempting to access user data through SMS messages and attacking the Android debug mode.

In nearly all cases, the tested applications showed some form of vulnerabilities. The most common vulnerabilities included web view vulnerabilities (13 apps) and Advertisement and Storage accessing vulnerabilities (12 apps).

The authors also advise a variety different suggestions to improve your Android application's security. They advise that developers should use Webview more security by setting "setAllowFileAccess" to false and by setting "setJavaScriptEnabled" to false. Also, all the important files, database backup files, user authentication information should be stored in internal storage rather than to external storage because one can view the data that is stored in the external storage without even getting inside the app. And finally, developers should turn Android debug mode off when releasing their app to the Android store.