Ghera: A Repository of Android App Vulnerability Benchmarks

TL;DR

Ghera is an open-source repository providing a comprehensive set of Android app vulnerability benchmarks, aiding in the evaluation of detection techniques and developer education.

Contribution

It introduces Ghera, a curated collection of 25 Android vulnerabilities with benchmark pairs, filling a gap in available testing resources.

Findings

Ghera includes 25 known Android vulnerabilities with benchmark pairs.

The repository helps evaluate vulnerability detection tools.

It highlights key characteristics for effective vulnerability benchmarks.

Abstract

Security of mobile apps affects the security of their users. This has fueled the development of techniques to automatically detect vulnerabilities in mobile apps and help developers secure their apps; specifically, in the context of Android platform due to openness and ubiquitousness of the platform. Despite a slew of research efforts in this space, there is no comprehensive repository of up-to-date and lean benchmarks that contain most of the known Android app vulnerabilities and, consequently, can be used to rigorously evaluate both existing and new vulnerability detection techniques and help developers learn about Android app vulnerabilities. In this paper, we describe Ghera, an open source repository of benchmarks that capture 25 known vulnerabilities in Android apps (as pairs of exploited/benign and exploiting/malicious apps). We also present desirable characteristics of vulnerability benchmarks and repositories that we uncovered while creating Ghera.