AndroScanner: Automated Backend Vulnerability Detection for Android Applications

TL;DR

AndroScanner is an automated tool that combines static and dynamic analysis to detect backend vulnerabilities in Android apps, successfully identifying a zero-day security flaw in a real-world application.

Contribution

It introduces a novel pipeline integrating multiple analysis techniques to identify API security issues in Android app backends, including previously unreported vulnerabilities.

Findings

Detected 5 vulnerabilities in two Android apps, including a zero-day flaw.

Successfully extracted 24 APIs from the applications.

Identified a zero-day Excessive Data Exposure vulnerability.

Abstract

Mobile applications rely on complex backends that introduce significant security risks, yet developers often lack the tools to assess these risks effectively. This paper presents AndroScanner, an automated pipeline for detecting vulnerabilities in Android application backends through combined static and dynamic analysis. AndroScanner extracts backend API calls from APK files using apktool, Androguard, and Frida-based dynamic instrumentation, then vets them against the OWASP API Security Top 10 using APIFuzzer. We evaluate AndroScanner on two Android applications: a purposely vulnerable bank application and a production recruitment application with over 50,000 downloads on Google Play Store. Across both applications, AndroScanner extracted 24 APIs and identified 5 vulnerabilities, including a previously unreported zero-day Excessive Data Exposure vulnerability (ranked 3rd in the OWASP API Security Top 10) in the production application. The vulnerability was responsibly disclosed to the development team prior to publication. AndroScanner is available upon request to assist developers in identifying and remediating backend security risks before deployment.