A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies

TL;DR

This paper proposes enhancements to the CVSS for Android and iOS app risk assessment, focusing on improving accuracy and emphasizing the role of time in vulnerability scoring.

Contribution

It introduces modifications to CVSS impact and exploitability calculations, validated through case-control studies on mobile applications.

Findings

Improved CVSS scoring accuracy for mobile apps

Highlighting the significance of time in risk assessment

Enhanced risk prioritization for threat analysts

Abstract

Various researchers have shown that the Common Vulnerability Scoring System (CVSS) has many drawbacks and may not provide a precise view of the risks related to software vulnerabilities. However, many threat intelligence platforms and industry-wide standards are relying on CVSS score to evaluate cybersecurity compliance. This paper suggests several improvements to the calculation of Impact and Exploitability sub-scores within the CVSS, improve its accuracy and help threat intelligence analysts to focus on the key risks associated with their assets. We will apply our suggested improvements against risks associated with several Android and iOS applications and discuss achieved improvements and advantages of our modelling, such as the importance and the impact of time on the overall CVSS score calculation.