To what extent can we analyze Kotlin programs using existing Java taint analysis tools? (Extended Version)

TL;DR

This paper explores how well existing Java taint analysis tools can be applied to Kotlin, identifying challenges and proposing solutions to adapt these tools for Kotlin's unique features.

Contribution

The study identifies 18 challenges in applying Java taint analysis to Kotlin and offers conceptual solutions, including implementing six solutions in SecuCheck-Kotlin.

Findings

Identified 18 engineering challenges in analyzing Kotlin with Java tools.

Provided conceptual solutions for 8 challenges.

Implemented 6 solutions in SecuCheck-Kotlin.

Abstract

As an alternative to Java, Kotlin has gained rapid popularity since its introduction and has become the default choice for developing Android apps. However, due to its interoperability with Java, Kotlin programs may contain almost the same security vulnerabilities as their Java counterparts. Hence, we question: to what extent can one use an existing Java static taint analysis on Kotlin code? In this paper, we investigate the challenges in implementing a taint analysis for Kotlin compared to Java. To answer this question, we performed an exploratory study where each Kotlin construct was examined and compared to its Java equivalent. We identified 18 engineering challenges that static-analysis writers need to handle differently due to Kotlin's unique constructs or the differences in the generated bytecode between the Kotlin and Java compilers. For eight of them, we provide a conceptual solution, while six of those we implemented as part of SecuCheck-Kotlin, an extension to the existing Java taint analysis SecuCheck.