SO{U}RCERER: Developer-Driven Security Testing Framework for Android Apps

TL;DR

SO{U}RCERER is a developer-centric framework that guides Android app developers in identifying, prioritizing, and mitigating security vulnerabilities effectively without requiring extensive security expertise or resources.

Contribution

It introduces a practical, developer-driven security testing framework tailored for Android apps that improves vulnerability prioritization and mitigation without heavy resource demands.

Findings

Reduces security warnings by 24-61% compared to static analysis alone.

Provides actionable vulnerability lists focused on critical assets.

Demonstrates viability for small to medium app development teams.

Abstract

Frequently advised secure development recommendations often fall short in practice for app developers. Tool-driven (e.g., using static analysis tools) approaches lack context and domain-specific requirements of an app being tested. App developers struggle to find an actionable and prioritized list of vulnerabilities from a laundry list of security warnings reported by static analysis tools. Process-driven (e.g., applying threat modeling methods) approaches require substantial resources (e.g., security testing team, budget) and security expertise, which small to medium-scale app dev teams could barely afford. To help app developers securing their apps, we propose SO{U}RCERER, a guiding framework for Android app developers for security testing. SO{U}RCERER guides developers to identify domain-specific assets of an app, detect and prioritize vulnerabilities, and mitigate those vulnerabilities based on secure development guidelines. We evaluated SO{U}RCERER with a case study on analyzing and testing 36 Android mobile money apps. We found that by following activities guided by SO{U}RCERER, an app developer could get a concise and actionable list of vulnerabilities (24-61% fewer security warnings produced by SO{U}RCERER than a standalone static analyzer), directly affecting a mobile money app's critical assets, and devise a mitigation plan. Our findings from this preliminary study indicate a viable approach to Android app security testing without being overwhelmingly complex for app developers.