KotlinDetector: Towards Understanding the Implications of Using Kotlin in Android Applications

TL;DR

This paper introduces KotlinDetector, a tool that detects Kotlin usage in Android APKs, enabling analysis of security and privacy implications of Kotlin adoption in mobile apps.

Contribution

The paper presents KotlinDetector, a novel heuristic-based tool for identifying Kotlin in Android apps and analyzing its security and privacy impacts.

Findings

KotlinDetector is efficient and accurate in detecting Kotlin presence.

Combining KotlinDetector with vulnerability scanners reveals security implications.

The study highlights the increasing use of Kotlin in Android applications.

Abstract

Java programming language has been long used to develop native Android mobile applications. In the last few years many companies and freelancers have switched into using Kotlin partially or entirely. As such, many projects are released as binaries and employ a mix of Java and Kotlin language constructs. Yet, the true security and privacy implications of this shift have not been thoroughly studied. In this work, a state-of-the-art tool, KotlinDetector, is developed to directly extract any Kotlin presence, percentages, and numerous language features from Android Application Packages (APKs) by performing heuristic pattern scanning and invocation tracing. Our evaluation study shows that the tool is considerably efficient and accurate. We further provide a use case in which the output of the KotlinDetector is combined with the output of an existing vulnerability scanner tool called AndroBugs to infer any security and/or privacy implications.